Symantec ITMS Inventory Solution Application Denial Functionality Bypass

SUMMARY

The Inventory Solution component of Symantec's IT Management Agent, the client portion of Symantec IT Management Suite (ITMS) powered by Altiris, can be configured to deny one or more applications from running on a windows managed client as part of IT management functions. A determined user can force an unauthorized application to load and potentially run despite the application being blacklisted in policy settings. This could potentially result in an authorized user running an unauthorized application on a managed client in the network environment.

AFFECTED PRODUCTS

Symantec ITMS

---

CVE

|

Affected Version(s)

|

Remediation

CVE-2016-2202

|

Prior to 7.6 HF7

|

Update to ITMS 7.6 HF7 Point Fix, see Update Section below, or upgrade to ITMS 8.x

ADDITIONAL PRODUCT INFORMATION

Products Not Affected

Product

|

Version

|

Build

—|—|—

Symantec ITMS

|

8.x

|

All

ISSUES

CVE-2016-2202

---

Severity/CVSSv3:

|

Low / 3.1 AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References:

Impact:

|

Securityfocus: BID 85778 / NVD: CVE-2016-2202

Bypass the application denial functionality

Description:

|

Symantec is aware of the capability to bypass the application denial functionality. This functionality is only available in managed windows clients and is established and configured as a component of the ITMS Inventory Solution. The application denial functionality, a part of the applications metering feature in the Inventory Solution, is not intended to be, nor promoted as, a security feature. The application denial functionality is a management tool intended to enable IT administrators to deny the running of specified applications, such as peer-to-peer file sharing applications. However application denial does provide a level of restrictive protection against unauthorized applications running on a managed client.

An authorized but determined user can run an application that is not allowed on the corporate network by established IT policies. By creating and running a script that continuously executes the unauthorized application, the user could potentially overload and bypass the established denial policies. This would enable their unauthorized application to run on their managed windows client which could potentially compromise IT network policies. Successful applications denial policy bypass depends very heavily on the capabilities of the managed system which could actually result in limited capabilities of the unauthorized application or even a self-denial of service by overloading the managed client's CPU.

Depending on how IT has configured Inventory Solutions an alert can be e-mailed to an IT administrator when an attempt is made to run such an un-authorized application on a managed windows system. In addition, end users can be informed that the application they are trying to run has been blocked by the IT administrator.

MITIGATION

Symantec Response
While the application denial functionality was not intended as a security feature, Symantec product engineers have already addressed the managed windows agent bypass potential in ITMS 8.0 and have created a point fix for ITMS 7.6 HF7 for those customers who are concerned about any potential exposure to unauthorized applications running on their windows managed clients. Symantec is not aware of adverse customer impact from this issue.

Update Information

Customers may acquire the point fix for ITMS 7.6 HF7 though technical support channels, see Knowledge Bulletin TECH234599 for details.

ACKNOWLEDGEMENTS

Symantec would like to thank Matthew Postinger, www.Postinger.com, for submitting his concerns regarding this issue in versions prior to ITMS 8.0 and working with Symantec as it was addressed.