Deployment Solution

There are multiple exploits, or vulnerabilities, in Altiris' Deployment Solution software that have recently been discovered by Brett Moore of Insomnia Security and Alex Hernandez of Syb Security. The vulnerability is considered as an elevation of privileges vulnerability and is classified as moderate severity to highly critical.

This specific vulnerability consists of a couple different exploits and only applies to Altiris Deployment Solution versions 6.5.248, 6.5.299, 6.8.378, and any other versions preceding the fix, version 6.9.176. In this article I'm briefly going to explain each exploit, and then I'm going to go over how to patch your Altiris Deployment Solution software, so that you are not susceptible to this vulnerability.

Click to view.

One of the exploits is caused by an error in the Printer dialog box options of Deployment Solution. If someone is able to access the agent's GUI, or graphical user interface, and enter a specific path, they can gain access to the agent's system32 folder along with access to their window's shell, cmd.exe- with privileges.

The main exploit which is the reason for the high severity is an SQL injection vulnerability. If taken advantage of properly, this vulnerability would allow anybody with access to the network, the ability to run any code on the system running the Deployment Solution software, under the context of the SQL server. Brett Moore explains:

The attacker could also get database access and as well as access to other realms of sensitive information. SQL injection is a very common vulnerability for many different applications, but at the same time it's one of the easiest to fix.

Two of the less severe (but just as important!) bugs include insecure registry keys and an insecure install directory. If an attacker has access to the machine they can delete or modify certain registry keys pertaining to Altiris Deployment Solution, or replace components in the installation directory with malicious code, thus resulting in a disruption or denial of service.

You're probably scared to death right about now, huh? Well don't worry since Symantec released an official security update for Altiris' Deployment Solution (Version 6.9.176), as well as a security advisory with more detailed information on all the exploits. All of these resources and more can be found at the bottom of this article.

In an attempt to help users keep things "cool" in case there is a high severity vulnerability ever again, Sybsecurity offers Deployment Solution customers the following tips...

• Restrict administration or management systems access only to users who are privileged.
• Always restrict remote access. If it truly is required, then only allow it for authorized or trusted users or systems.
• Run under low privilege settings whenever possible to absorb the impact of any exploits or attacks that might occur.
• Always keep your software and operating systems updated.
• Use multiple layers in your security system. (I.E. Firewall, Spyware protection, etc...)
• Use network intrusion detection system to help with the monitoring of your network's traffic.

Now I'm going to go over how to obtain and install the patch that will fix all these exploits. You can download the fix to patch your Deployment Solution, here. The actual file to download will be in the second frame, on the right side. There will be a file called KB41418.zip- that is the link you want to click on in order to start the actual download. If that link is down, or you just unable to find the file, I have attached a copy of the patch to this article- so you can just download it at the bottom of this page when you are ready. Once downloaded, you must make sure you have Deployment Solution version 6.9. If you do not, follow the steps listed in this knowledge base link to Update from version 6.8 SP2 to 6.9. Once you have version 6.9 of Deployment Solution and you have the new KB41418 patch downloaded, simply follow the steps below to update and patch your software:

1. Extract the zip file KB41418.zip to a location on the Deployment Solution server (e.g., C:\kb41418).
2. Turn off Altiris Express Server, Altiris Deployment Server Data Manager, and Altiris Deployment Server DB Management services.
3. In the express share (generally C:\Program Files\Altiris\express\Deployment Server) and rename axengine.exe to axengine.ext.
4. Copy axengine.exe from C:\kb41418 to the express share.
5. Copy altiris-aclient-6.9.176.X86.exe from C:\kb41418 to the agents\aclient directory under the express share.
6. Open the Altiris Deployment Server applet from within Control Panel.
7. Click on Options > Transport and select Automatically update clients. This enables automatic update for the AClient. In Deployment Solution 6.9, Automatically update clients is the preferred method to update AClients.
8. Turn on Altiris Express Server, Altiris Deployment Server Data Manager, and Altiris Deployment Server DB Management services.

That is about all there is to it! While the exploits are severe and can be harmful, it does not guarantee that your server will be "hacked." In fact, chances are that it will not. The zero day fix released by Symantec patches up all the loose vulnerabilities that were previously exploitable, thus discouraging many attackers to look for Deployment Servers to exploit. However this does not mean that you can simply forget updating your server, or procrastinate and put it off until later. It's always better safe than sorry, and it's worth an hour (or less!) of your time to secure your data with the latest official security update.

I hope you enjoyed this article and that you learned a little something from it. You may have completed this security update flawlessly, but chances are that Symantec and Altiris will release more important security updates in the future, aimed to keep their users (you!) safe and secure. Always keep your software updated and always be on the look out for new hotfixes and patches.

Resources:

Download Fix - Altiris Deployment Solution v6.9.176 Security Update Symantec Security Advisory - http://www.symantec.com/avcenter/security/Content/2008.05.14a.html Secunia Security Advisory - http://secunia.com/advisories/30261/