How to remediate – Altiris AClient < 6.9.164 Multiple Local Vulnerabilities

1. Introduction

The Altiris AClient agent, versions prior to 6.9.164, is affected by multiple privilege escalation vulnerabilities. This means a local user on an affected system could gain higher-level access than intended. These systems are typically Windows computers managed by Symantec Altiris deployment solutions. Successful exploitation could lead to compromise of confidentiality, integrity and availability of the managed endpoint.

2. Technical Explanation

The Altiris Client Agent (aclient) is susceptible to a shatter attack which allows local privilege escalation. Additionally, the AClient password is stored in system memory making it recoverable by dumping process memory. An attacker could exploit this by gaining access to the agent admin interface and executing code with system-level privileges. CVE-2008-1473 and CVE-2008-1754 describe these vulnerabilities.

• Root cause: The Altiris client agent does not properly handle privilege checks, allowing a local user to execute commands with elevated permissions. Additionally, the AClient password is stored in plaintext in memory.
• Exploit mechanism: An attacker could dump the process memory of AClient.exe to recover the password and use it to access the admin interface. Alternatively, an attacker can leverage the shatter attack to escalate privileges directly.
• Scope: Windows systems running Altiris Client Agent versions prior to 6.9.164 are affected.

3. Detection and Assessment

Confirming vulnerability requires checking the installed version of the Altiris client agent. A thorough method involves examining process memory for the password.

• Quick checks: Use the Windows “Programs and Features” control panel to check the version of Symantec Altiris Agent.
• Scanning: Nessus plugin ID 35861 can detect vulnerable versions. This is an example only.
• Logs and evidence: There are no specific logs indicating vulnerability, but monitoring for unusual process activity related to AClient.exe may be helpful.

wmic product where "name like '%Altiris%Agent%'" get version

4. Solution / Remediation Steps

The solution is to upgrade the Altiris Client Agent to a patched version (6.9.164 or later). These steps should be performed during a maintenance window.

4.1 Preparation

• Ensure you have access to the latest Altiris Client Agent installer. A roll back plan involves restoring from backup or reinstalling the previous version of the agent.
• A change window is recommended, and approval may be needed depending on your organization’s policies.

4.2 Implementation

1. Step 1: Download the latest Altiris Client Agent installer from Symantec’s website or a trusted source.
2. Step 2: Stop the “Symantec Altiris Agent” service in Windows Services (services.msc).
3. Step 3: Uninstall the existing version of Altiris Client Agent through “Programs and Features”.
4. Step 4: Run the downloaded installer to install the latest version of Altiris Client Agent.
5. Step 5: Start the “Symantec Altiris Agent” service in Windows Services (services.msc).

4.3 Config or Code Example

Before

(Example - Version prior to 6.9.164)
wmic product where "name like '%Altiris%Agent%'" get version
Name                      Version
Altiris Agent              6.8.1234

After

(Example - Version 6.9.164 or later)
wmic product where "name like '%Altiris%Agent%'" get version
Name                      Version
Altiris Agent              6.9.164

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

• Practice 1: Least privilege – running services with the minimum required permissions reduces the impact if exploited.
• Practice 2: Patch cadence – Regularly updating software addresses known vulnerabilities like this one.

4.5 Automation (Optional)

# Example PowerShell script for uninstalling Altiris Agent (use with caution!)
# This script assumes you have appropriate permissions to run it on remote machines.
$computers = @("computer1", "computer2") # Replace with your target computers
foreach ($computer in $computers) {
  Invoke-Command -ComputerName $computer -ScriptBlock {
    Stop-Service -Name "Symantec Altiris Agent" -Force
    Uninstall-Package -Name "Altiris Agent" -Force
    Start-Service -Name "Symantec Altiris Agent" -Force
  }
}

5. Verification / Validation

Confirm the fix by checking the installed version of the agent and verifying that the password is no longer present in memory.

• Post-fix check: Run `wmic product where “name like ‘%Altiris%Agent%'” get version` and confirm the output shows a version 6.9.164 or later.
• Re-test: Re-run the quick check from section 3 to verify that the vulnerability is no longer present.
• Smoke test: Verify that Altiris agent can still report inventory data and receive deployment tasks.
• Monitoring: Monitor for unexpected process activity related to AClient.exe, which could indicate a regression or attempted exploitation.

wmic product where "name like '%Altiris%Agent%'" get version
Name                      Version
Altiris Agent              6.9.164

6. Preventive Measures and Monitoring

Several measures can prevent similar issues.

• Baselines: Update your security baseline to require Altiris Client Agent 6.9.164 or later.
• Asset and patch process: Implement a regular patch review cycle for all managed software, including Altiris agents.

7. Risks, Side Effects, and Roll Back

Upgrading the agent may cause temporary disruption of Altiris services. Ensure compatibility with existing deployment tasks.

• Risk or side effect 2: Temporary service interruption during upgrade – schedule during a maintenance window.

8. References and Resources

• Vendor advisory or bulletin: http://www.symantec.com/avcenter/security/Content/2008.03.10.html
• NVD or CVE entry: https://cve.mitre.org