Author's note: This article is based on significant speculation on my part. I am writing this reluctantly as I had expected others more directly involved in the industry to have raised the issues I'm about to given its gravity.
This is an invitation for both Symantec and EMC to clarify whether or not any of the code contained in public leaks of Symantec source code has been remediated in order to protect current customers since I see it as a liability for EMC's RSA division unless there's a valid explanation for what I've discovered, and that I'm wrong about the potential impact.
I sure hope so.
There are, to my mind, some serious concerns that the Symantec leak could pose a risk to RSA's "SecurID" product, but only EMC can set people's minds at ease. That is the purpose of this article.
I've been involved in the Symantec story since it first appeared here on Infosec Island after "Yamatough" contacted our publication with reputed source code for numerous Symantec products.
In my capacity as a coder and antimalware researcher, I was asked to independently download and examine the contents of Symantec code which was publicly available, including snippets of code released in early January, as well as the Norton Utilities source code released on January 13.
In both cases, after reviewing various portions of the source code in question and my awareness of major changes to the Windows operating system since 2006, it was my determination that the majority of source code was rendered largely obsolete and inert as the result of both 64 bit versions of Windows as well as changes required for Vista and therefore unlikely to have remained intact currently.
This past Tuesday, source code for PCAnywhere was released and as before, I downloaded the torrent and examined some of its contents.
The PCAnywhere code was of a similar vintage, however there was evidence here of code created for both 64 bits as well as Vista which meant that it's entirely possible that much of this code might still be in use in current versions of the PCAnywhere product.
Symantec also acted to patch PCAnywhere quickly after the announcement of the potential release of the source code which suggests to me that there were indeed pieces of the 2006 source code still in use in their current product.
We can assume therefore that Symantec took reasonable steps to redesign these portions of code in their patch updates which would likely render vulnerable portions of their own code safe to use as they indicated in communications to their customers. I'll take them at their word that they have.
However, further examination of the source code for PCAnywhere turned up something that is disturbing to me at least and is the basis for the questions I'm raising in this article.
The source code which fell into the hands of "Yamatough" contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.
(click image to enlarge)
What is particularly interesting about the files in the source is that Symantec clearly removed all of the code pertaining to the Windows version of RSA's sources and libraries, leaving numerous directories for Windows RSA code empty, yet the directories intact. But they left in Linux headers and libraries designed to be compiled against "RedHat 7" Linux and therein is what I see as a risk to EMC's RSA product.
I did not make the effort to examine the code fully, but did examine a good number of various header declarations through several files and they appear to be sufficiently complete to compile malware against RSA's library code contained in Symantec's sources.
(click images to enlarge)
It should be noted that the files in question date back to May of 2003, but RSA's encryption dates back into 1999 and is likely to be sufficiently valid enough to abuse today. The document named "RSA SecurID Ready Implementation Guide.doc" is harmless and is intended to explain to Symantec users how to configure the SecurID components inside PCAnywhere.
It is those header files and more significantly the "libbsafe.a" library which is of concern here since ".a" files are compiled, but not linked which would make them linkable to any code including potential malware. And the headers would provide the information necessary to call into this library file for anyone who linked the headers and library to their code.
I did not attempt to discover what is actually inside the "libbsafe.a" library nor attempt to reverse engineer the library because there are legal issues in doing so that I did not want to step in. So perhaps Symantec and/or EMC can tell us what that library is actually about.
And given the RSA break in last year to obtain valid "keys" to use to infiltrate so many government and corporate systems using SecurID, I can't help but wondering if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success?
Having the source code headers for the libbsafe library would certainly give them everything they'd need as long as they could gather enough keys to figure out the rest of the algorithm given the sources in my estimation.
And while the Windows libraries were absent along with the Windows header files, the Linux header files would still be useful for generating Windows malware and in the ".a" format, the compiled Linux libraries could easily be reverse-engineered in order to reconstruct valid Windows libraries to go along with the headers.
And it is this which gives me a serious case of the willies if I were using SecurID and my utter surprise that these sources could be "out there" in the hands of any untrusted third party, much less script kiddies, for so long without alarms going off immediately from Symantec. And I don't know if EMC was even aware of this.
I seriously believe that the security community deserves some answers, and some better disclosure about what exactly happened here.
My apologies in advance for ruining people's Friday.
About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.