Client Management Suite

Got an e-mail from ITS Partners regarding a widespread issue with KB2661254.  Am I reading this correctly in that it'll affect ALL Altiris 6.x and 7.x customers in some way and recommendation is to NOT install the update on the Altiris servers?

I had my servers set to automatically install updates but have since set them to notify only.  According to the second link, below, this patch is already available for download but will be pushed out via Microsoft Update in October.  When it does show up, can I simply disable and hide it in Windows Update and re-enable Automatic Updates?  I'm hoping hidden updates won't somehow get reactivated for install when Windows is set to automatically install updates.

Also, does anyone know if Symantec is planning to patch their solutions so KB2661254 can be safely installed on my Altiris servers in the future?  I'm in the process of migrating over to my SMP 7.1 SP2 server so my Altiris 6 server is still handling production duties.  Surprised that I couldn't find any talk on this issue in the forums when it appears KB2661254 could inconvenience everyone.

http://www.symantec.com/business/support/index?page=content&id=TECH194869

http://technet.microsoft.com/en-us/security/advisory/2661254

http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx

Intuitive received this from Symantec as well.  KB2661254 ends support for certificates using the RSA algorithm where the key length is less than 1024 bits.  If you are using less than 1024 bits you should fix it anyway since this represents a low-security configuration.  Key lengths of 1024 or 2048 remain supported.

If you use SSL, check your SSL certificates to ensure the RSA key length is 1024 or higher.

As Mike pointed out,  all this patch does is invalidate any ssl certificates that use an RSA algorithm less than 1024 bit encryption.

This patch can affect Altiris users in two ways:

     1. Anyone using their own PKI system to secure communication between NS server and clients with keys less than 1024 bit encryption will need to update and distribute the certificates they are using.

     2. Altiris licenses are certificate files, most of them are 512 bit encryption so some actions taken on these certificates will fail to validate if this patch is installed.   The product will continue to run but license refresh will fail to calculate once this patch is applied so customers that are close to their license limits may experience loss of functionality.

To answer your you question of  "does anyone know if Symantec is planning to patch their solutions so KB2661254 can be safely installed on my Altiris servers in the future?"

Yes.  Symantec is working on a remediation plan now to mitigate the effects of  KB2661254 on the Altiris servers. 

I haven't applied KB 2661254 yet although I recently (10/1/12) had to combine licenses due to a maintenance renewal and purchase of additional licenses.  If I'm reading TECH194869 correctly and considering I've already applied this new combined license to both my Altiris 6 and SMP 7.1 servers (yah...I'm in the process of migrating over) and don't use our own PKI system to secure client/server communications, does this mean I should be OK with installing KB2661254?

License files created after August 23 should have been generated with 1024 bit encryption. 

The Combine License Workshop tool previously only allowed customers to generate new license files if they had multiple license files for a partciular product.

The Combine License Workshop tool was changed on the evening of October 8 to now allow customers to generate a new license file with 1024 bit encryption even if they only have a single license file for a particular product.

I combined all of my current licenses on 10/1/12 so sounds like I'm good to go according to what you're saying.  Just to be absolutely sure the tool encrypted the files correctly, is there a way to tell the encryption level from just the license files themselves?

I was told that one way that you may be able to do this is by using the Microsoft Certificate Management snap-in.  The instructions that I was given were:

1) Import the certificate

2) Right-Click the certificate to see the properties and choose "View Certificate".  

3) In the details, there is a value that shows the key length. 

I have not personally verified this information.

For anyone else that may land here looking for this information, I am adding the link to the KB article that explains the process for getting new licenses with 1024 encryption.

Updated information on the process to obtain new licenses is located in this kb article.

http://www.symantec.com/business/support/index?page=content&id=TECH194869&actp=search&viewlocale=en_US&searchid=1350676823149