SYM08-020
October 20, 2008
Symantec Altiris Deployment Solution Elevation of Privilege Clear Text Password in Memory

Revision History
None

Severity
Medium

Remote AccessNo
Local AccessYes
Authentication RequiredYes
Exploit publicly availableNo

Overview
An elevation of privilege issue via a privileged access password stored in memory has been identified and resolved in the Symantec Altiris Deployment Solution. Successful exploitation could potentially allow a non-privileged user with authorized access to the system hosting the Deployment Solution Server to gain unauthorized access and modify network client systems.

Affected Product(s)
ProductVersionBuildSolution(s)
Altiris Deployment Solution6.XAll6.9.355 SP1

Details
Information Risk Management Plc reported that the Symantec Altiris Deployment Solution agent stores the Application Identity Account password, set during installation, in clear text in system memory. A non-privileged user with authorized access to the system hosting the Deployment Solution Server could potentially retrieve this password from system memory enabling the user to possibly make unauthorized modifications to client systems on the network, e.g., deploy unauthorized software.

The level of unauthorized access achieved is dependent on the user group the Application Identity Account was established under during initial installation. The impact of this threat is further reduced as it requires initial authorized system access in any attempt to compromise the targeted account. In a recommended installation, the Altiris Deployment Solution Server should be restricted to privileged-access, authorized users only and located in a restricted access environment.

Symantec Response
Symantec engineers have verified and resolved these issues in Altiris Deployment Solution 6.9 SP1. Updates are available as follows:

Follow the installation instructions Best Practices
As part of normal best practices, Symantec strongly recommends:

References
Security Focus, http://www.securityfocus.com, has assigned a Bugtraq ID (BID 31767) to this issue for inclusion in the Security Focus vulnerability data base.

CVE
A CVE Candidate name will be requested from the Common Vulnerabilities and Exposures (CVE) initiative for this issue. This advisory will be revised accordingly upon receipt of the CVE Candidate name. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems

Credit
Symantec would like to thank Mazin Faour, Information Risk Management Plc, for reporting this issue and providing full coordination while Symantec resolved it.


Last modified on: