<<< Date Index >>>     <<< Thread Index >>>

RE: Critical Vulnerability in Altiris Deployment Server architecture



This is the response we received from Altiris when we submitted this issue to 
their people - please respond with your comments/thoughts:


<snip>
Subject: 

Design flaw in Altiris Deployment Server - Attacker can take over all clients 
on a network with Admininstrator Rights and Remote Control ability
</snip>


<!--- Begin Vendor Response 

Deployment Solution Server-to-Client Security

This is in response to the article titled "Critical Vulnerability in Altiris 
Deployment Server Architecture."

Deployment Solution allows any managed client computer to attach to the nearest 
Deployment Server within a secure environment, while also providing options to 
secure the communication of Deployment Server to its Deployment Agent (commonly 
called AClient) using multiple security safeguards. No critical vulnerabilities 
exist in the Altiris Deployment Server architecture as suggested in the 
"Critical Vulnerability in Altiris Deployment Server Architecture" article. 
Basics of Deployment Server-to-AClient Communication 
Altiris Deployment Solution provides two basic ways to connect from the AClient 
on managed computers to a managing Deployment Server:

1.      Use TCP/IP multicast to locate a Deployment Server, or

2.      Use TCP/IP to connect to a specific Deployment Server identified by 
name or IP address.

The first option, Use TCP/IP multicast to locate a Deployment Server, is the 
default option. Using this setting, AClient will connect to the first 
Deployment Server it finds on the network subnet. This is a distinct advantage 
in a secure network in order to easily allow client computers to attach to the 
nearest Deployment Server. It is true that if the multicast option is used on 
an unsecured network, anyone with access to that network can manage client 
computers by setting up an intercepting Deployment Server and connecting to and 
managing all incoming client traffic. For this reason, the multicasting option 
should only be used within a secure LAN where any rogue Deployment Server would 
be identified immediately. The requirement of a secure network is common to any 
product that supports multicasting and it does not constitute a security flaw.

The second option, Use TCP/IP to connect to Deployment Solution, allows the 
system administrator to specify the server name or IP address of the Deployment 
Server, and the port through which it will communicate. Using this AClient 
setting, the client computer can connect only to the Deployment Server 
specified by name or IP address. 

To further secure this setting, the administrator should set the Administrator 
password on AClient. With these settings in place, the managed client computer 
will only connect to the specified Deployment Server. For example, in the 
dialog below AClient properties are set to use TCP/IP to connect to the server 
named osrhgap312ka on Port 402. With the administrator password set and by 
specifying the IP address of the legitimate Deployment Server, it is not 
possible to set up a rogue Deployment Server. 

Altiris has added certificate communication between AClient and Deployment 
Server and will release this enhancement in the next version of Deployment 
Solution. 

          end vendor response -->







PRODUCTS AFFECTED:

---------------------------------------------------------------------------------------------



ALTIRIS DEPLOYMENT SERVER - 5.x, 6.x, possibly other versions (untested)

POSSIBLY OTHERS? - I have not worked with any of the other Altiris products, so 
I do not know if they are vulnerable to this, similar or other possible 
exploits.





SUMMARY:

---------------------------------------------------------------------------------------------



There is a design flaw in the Deployment Server architecture that could allow 
an attacker to take complete control over all Altiris clients on a network with 
relative ease.



The flaw is that the AClient.exe process does not request any authentication 
from the Deployment server and will happily connect to any Deployment server it 
finds and give it complete Administrator rights to the machine along with the 
ability to Remotely Control it.



This flaw can be exploited via physical or wireless access to the network 
Deployment Server is on, or remotely through a compromised system anywhere on 
the network that Altiris Deployment server is on and can potentially give an 
attacker complete administrative access to some or all managed clients.



This can be done with little or no advance knowledge of the network or client 
configurations prior to the attack, depending on the AClient.exe configuration 
used.





THREAT MITIGATION:

---------------------------------------------------------------------------------------------



Due to a design flaw in the AClient.exe's lack of a proper authentication 
system, there is little you can do to prevent these exploits.



The best things you can do to protect yourself until Altiris fixes their 
product is:



1) DO NOT USE THE "Use TCP/IP Multicast to locate a Deployment Server" OPTION 
WHEN INSTALLING ACLIENT.EXE.  Put in a fixed IP address and Port number when 
installing the client.  



This will make it more difficult for someone to exploit this flaw, as they will 
have to disable the existing deployment server first, or use some other trick 
to make the attacker's machine seem like the "real" Deployment server.



2) TURN ON THE "Encrypt Sessions with Server" AND THE "Require Encrypted 
Sessions with Server" OPTIONS WHEN INSTALLING ACLIENT.EXE.  



This will require a client computer to reboot before it can be compromised, 
which creates an additional barrier of entry to an attacker, and give you more 
time to react in the event a Rogue Deployment server is detected on the network.



3) TURN ON THE "Remain Connected to the server" OPTION WHEN INSTALLING 
ACLIENT.EXE.



This will provide less of an opportunity for a client to unknowingly connect to 
a Rogue Deployment Server by maintaining the connection to the one the client 
first connected to.



4) DO NOT USE THE "Advertise the server this client is connected to through 
multicasting" OPTION UNLESS ABSOLUTELY REQUIRED.



This would prevent a rouge deployment server from obtaining an additional 
compromise vector (the advertising AClient.exe connected to a rogue DS) to new 
machines to control.





SAMPLE EXPLOITS:

---------------------------------------------------------------------------------------------



PREREQUISITE:



BadGuy gets access to the network either (1) physically, by walking in the door 
and plugs his laptop into any network jack anywhere in the building or 
connecting to a wireless network access point inside or outside of the 
building, or (2) by gaining access to any computer on the network, such as 
through any variety of cracks, viruses, trojans, stolen password, etc..  For 
purposes of this discussion, I will assume that he simply walks in the door and 
plugs in a network cable, though it really makes no difference how he connects 
in order to exploit this flaw.



SCENARIO ONE:  AClient.exe configured to connect to Deployment Server via 
network broadcast



His laptop is running its own copy of Deployment Server ("DS" from here on) 
(which is available for a free download online (though it is limited to 10 
clients)).  When clients are booted up, they will send a broadcast request to 
the network.  If the laptop responds faster than the company's "Official" DS 
("ODS" from here on) , then the client will connect to it, and BadGuy now has 
complete control over the client through the AClient service.



Furthermore, if BadGuy can knock the official DS off the network (through any 
variety of Denial of Service attacks, ARP Poisoning, etc.) it can assume the 
role of the ODS, with the same IP address even, and take over more clients.  
Additionally BadGuy can potentially determine the IP address of the ODS by 
watching network traffic and seeing the broadcast messages that are sent to the 
ODS, in order to determine the IP address to attack and assume the role of.



SCENARIO TWO:  AClient.exe configured to connect to Deployment Server via 
direct IP address (for example, IP: 1.2.3.4) or hostname.



Same as above, but BadGuy can redirect clients to his laptop by ARP-Poisoning 
(which makes the network's switches and routers think that the laptop is the 
machine they should send connect to for the IP address 1.2.3.4) or by using a 
Denial of Service attack to knock the ODS offline, and the laptop then starts 
functioning with the IP address

1.2.3.4.



Again, complete control of all clients is on the network is easily achieved.



SCENARIO THREE:  AClient.exe configured to connect to Deployment Server via 
encrypted connection.



Same as above scenarios except that it will require that a client to reboot 
(for any reason) before the client can be hijacked.  When the client computer 
reboots, it will request new session keys from the DS, in this case the 
BadGuy's DS, and will use these keys (now provided by BadGuy's DS) to encrypt 
the session communications.





POSSIBLE FIX (for ALTRIS):

---------------------------------------------------------------------------------------------



The root of this problem is that the AClient does not require any 
authentication to connect to it.  It will happily talk to any DS that it finds.



The AClient must be modified (and therefore the Deployment Server itself) to 
provide a method of authorizing a DS to talk to AClient, and possibly the 
vice-versa.



The simplest method of fixing this would be have a password set for each 
AClient upon installation.



Upon connecting, the client and server would verify that they are talking to an 
authorized system using standard password-testing methods (ie: don't send the 
password to the other system, send a hash of it to prevent spoofing and getting 
the password that way).  Only after authentication would the client and server 
be allowed to interact further.





VENDOR NOTIFICATION:

---------------------------------------------------------------------------------------------



Altiris tech support was notified of this problem and sent the details of this 
vulnerability on Friday, November 21, 2003.



Altiris confirmed the problem and assigned it to a support ticket which was 
escalated for management attention.



I was informed that it had been scheduled to be fixed in a future release, but 
they did not provide an ETA or any other details.



Since then no follow-up inquiries to Altiris have been responded to.



Since it has been nearly a year, with three new versions (6.0, 6.1, 6.1sp1) and 
it still does not appear to have been resolved, I am publishing this alert to 
inform systems administrators of the vulnerability to their networks.





ANALYST INFORMATION:

---------------------------------------------------------------------------------------------
 

Brian Gallagher - DiamondSea.com - brian@xxxxxxxxxxxxxx

We Make E-Commerce Easy - No Technical Experience Required

Consulting - E-Commerce - Web Site Design - Custom Programming

http://www.DiamondSea.com - Toll-Free: 800-604-1476 - Fax: 888-411-8144





_________________________________________________________

The information contained in this message is privileged, confidential and 
intended only for use of the individual or entity addressed above.  If you 
have received this communication in error, please immediately notify us
by reply and delete the same.  Thank you.