Altiris IT Management Suite or Symantec-based Endpoint Management solutions may be affected - Microsoft Update (KB 2661254)

Article:TECH194869  |  Created: 2012-08-13  |  Updated: 2013-10-27  |  Article URL http://www.symantec.com/docs/TECH194869
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



 

 

 

Symantec Products and Potential Impact

This article provides guidance for the following products:

Product

Version

IT Management Suite

6.x, 7.0+, 7.1+

Client Management Suite

6.x, 7.0+, 7.1+

Server Management Suite

6.x, 7.0+, 7.1+

Asset Management Suite

6.x, 7.0+, 7.1+

Deployment Solution

7.1+

Stand-Alone Altiris Solutions

6.x, 7.0+, 7.1+

Symantec ServiceDesk

7.0+, 7.1+

 

The following products are not affected by this Microsoft Update:

Product

Version

Altiris Deployment Solution

6.x

Symantec Ghost Solution Suite

2.5

Symantec pcAnywhere

12.x and earlier

Symantec Workflow

7.0+, 7.1+

Symantec Workspace Virtualization

6.1+

Symantec Workspace Streaming

6.1+

Wise Package Studio products

7.0 SP3, 8.0

 

****Please review the attached PDF of this document for access to the screen shots.****

 

Regarding Microsoft Update (KB 2661254)‐‐Altiris IT Management Suite or Symantec based Endpoint Management solutions may be affected.

 

This Microsoft Update has far‐reaching implications for software that is currently in production. Symantec has reviewed the impact of the update to provide proactive guidance for customers before the update impacts them.

 

Symantec will update this article in the event circumstances change or new information becomes available.

 


Solution



Information about the Microsoft® Update

Microsoft released a critical update (KB 2661254) on August 14, 2012, that ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. Any application that calls into the operating system to validate the digital certificates will receive an invalid certificate response whereas previously it would pass the validation.
 
Microsoft will begin proactively pushing out this update via its WSUS and Windows Update products on October 9, 2012.
 
You can find more information about the update in the following links:
 
Description and Instruction for Updating Certificates
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa‐keys‐under‐1024‐bitsare‐blocked.aspx
 
Description and Instruction for Workarounds
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking‐rsa‐keys‐lessthan‐1024‐bits‐part‐2.aspx
 
Implications & Findings
The Microsoft Update has far‐reaching implications for software in general. Impact is largely dependent on how certificates are used and validated within the product or the infrastructure that the product interacts with. Any application that validates against certificates will be affected by the update and may fail to operate normally.
 
Symantec Product Impact
This update DOES NOT impact ITMS or other Symantec Endpoint Management solutions with respect to code signing and authenticode or internally issued and leveraged certificates. Signed code and internally issued/used certificates leverage 1024 bit key length certificates or higher.
 
This update MAY impact customer environments that have provided their own certificates for SSL infrastructure. This includes SSL console, agent, and site infrastructures, as well as SSL database connections. Symantec recommends reviewing the certificates that are used for ITMS and Altiris Solution infrastructures to ensure they are 1024 bit or higher. If they are less than 1024 bit, follow the instructions provided in the Microsoft KB to increase the key length of the cert and re‐apply it throughout the ITMS and Altiris Solution infrastructure as described in Symantec product documentation.
 
This update WILL impact ITMS and other Symantec Endpoint Management solution license refresh and license removal processes. License refresh is a recurring schedule that calculates usage against the license issued for Symantec/Altiris products. Generally this is not a high risk as the product will continue to function given the previous licensing data. However, licenses will not recalculate after applying the patch. This may impact cases where licenses have been exceeded or need to be reclaimed. Additionally, the license removal tool will not show Altiris licenses when the patch is applied.
 
Because of this issue, customers have the following options:
 
1. Do not install the Microsoft Update.
2. Temporarily work around the checks from the patch by following Microsoft’s instructions as described in the links above or as found in the section “Workaround Instructions” below.
3. Uninstall the Microsoft Update from in Add/Remove Programs. A system reboot is required after removing the patch. It is not sufficient to just restart AeXSvc after uninstalling the patch.
4. Install the Microsoft Update and obtain new license files for your Altiris products generated with 1024-bit encryption.
 
Diagnosing Affected Environments for Issues with Licensing
It is easy to determine if a Notification Server has been affected. The license removal tool will display the following error when launched.
 

 
Or, the Altiris Logs will show errors such as the following whenever the license refresh schedule runs.
 

Exception occurred while verifying a certificate in certificate store. Skipping...

 ( Exception Details: Altiris.NS.Licensing.InvalidCertificateException: Certificate chain is invalid.
   at Altiris.NS.Licensing.LicenseUtil.Verify(X509Certificate2 certificate)
   at Altiris.NS.Licensing.LicenseUtil.GetInstalledLicenseInstances() )

 
 
Workaround Instructions
On affected Notification Servers with Windows 2008, complete the following steps:
 
1. Open a command prompt with local administrator privileges.
2. Run the following command from C:\Windows\System32:
Certutil ‐setreg chain\minRSAPubKeyBitLength 512
3. If successful, you should see the following message:
New Value:
minRSAPubKeyBitLength REG_DWORD = 200 (512)
CertUtil: ‐setreg command completed successfully
The CertSvc service may need to be restarted for changes to take
effect.
 
You can disregard the message "The CertSvc service may need to be restarted for changes to take effect" as it does not apply to this change.
4. Restart the AeXSvc
 
On affected Notification Servers with Windows 2003, complete the following steps:
 
1. Back up the registry before making any changes.
2. Open regedit with local administrator privileges.
3. Navigate to (or create) the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\ CertDllCreateCertificateChainEngine\Config
 
Add the following values. After the values are added, the registry should look like the following figure that illustrates the change.
 

Name
Type
Decimal data
EnableWeakSignatureFlags
REG_DWORD
2
minRSAPubKeyBitLength
REG_DWORD
512

 
 
4.  Restart the AeXSvc
 
Obtaining New License Files
You can obtain new license files for your Altiris products generated with 1024-bit encryption by using the Combine License Workshop (CLW) tool that is available through the Symantec Licensing Portal. You can access the Symantec Licensing Portal at https://my.symantec.com
  1. Select your language
  2. Check the “Don’t show me this page again” box
  3. Click on the orange “GO TO MYSYMANTEC” button
  4. Enter the User ID and Password for your SymAccount and click the orange “SIGN IN” button.
  5. Click on the orange “COMBINE LICENSES (English Only)” button.
  6. To generate new license files, use “Option 2: Download Selected Licenses (Singular or Combined)” and follow these steps:
  7. Select the companies for which you want to display available license files.
  8. Select the product for which you want to generate a new license file (Note: You can only select a single product at a time) 
  9. Select the license file(s) for which you want to generate a new license file
  10. Click on the double arrows >> to move the license file(s) to the “New license files (to be generated)” area
  11. Click on the orange “Download Now” button to generate and download a new 1024-bit license file 
 
See attachment for screenshots.
 
If you select a single license file, the process will generate a new 1024-bit license file with the same information that was in the previous license file. If you select multiple license files, the process will generate a new 1024-bit license file that combines nodes from each of the individual license files selected and has a maintenance expiration date equal to the nearest maintenance expiration date. 
 
For example, if you combine one license file for 150 nodes with a maintenance expiration date of January 1, 2013, with another license file for 250 nodes with a maintenance expiration date of January 1, 2014, the new license file will have a maintenance expiration date of January 1, 2014. At the end of the combined license term, you can use the 250 nodes for an additional year by installing the individual license key containing the remaining maintenance.
 
If you own a product suite that contains licenses for several products, you will need to repeat the process for each affected product. Please note that it is not possible to generate new license files for multiple products at once.
 
In addition, please note that the Combine License Workshop tool only displays existing license files with a maintenance that has not yet expired. If the maintenance on your product has expired and you do not have a license file for your product with a future maintenance expiration date, you will need to contact Symantec Customer Care to have a new license file manually generated for you. Information on how to contact Symantec Customer Care can be found on Symantec’s web site.

Attachments

Screenshots
Product Alert Regarding Microsoft Update.pdf (649 kBytes)


Article URL http://www.symantec.com/docs/TECH194869


Terms of use for this information are found in Legal Notices