Security Advisory: Adobe Graphics Server and Adobe Document Server configuration security vulnerability

Advisory Name: Adobe Graphics Server and Adobe Document Server configuration security vulnerability

Release Date: March 14, 2006

Vulnerability Identifier: CVE-2006-1182

Products: Adobe Graphics Server 2.0, 2.1 (formerly AlterCast), Adobe Document Server 5.0, 6.0

Platform: Windows

Overview: Adobe has been made aware of a potential security vulnerability in the recommended configuration of Adobe Graphics Server and Adobe Document Server on the Windows operating system. This potential security vulnerability might enable execution of code on servers that are accessed through interactive logon.

Effect: If exploited, this vulnerability would allow an anonymous user to place code onto the server that is then run as the interactive user at the time they log on. Depending on the configuration of the server, this could be an administrative user.

Details: The installation documentation describes a server configuration that uses a low privilege service account. Adobe is aware of a potential vulnerability that exists even when the product is installed following this best practice. In the configuration described in the installation documentation, it may be possible to exploit this vulnerability if a user interactively logs into the Adobe Server service account.

In the default configuration, where the Adobe Server is installed as SYSTEM, it may be possible to exploit this potential vulnerability if anyone logs into the server interactively.

This potential vulnerability is mitigated in most environments because interactive logon to systems running Adobe Graphics Server or Adobe Document Server is not a common user behavior. For a server configured following the installation documented with the product, no workflow requires interactive logon to the service account. Also, if the server is installed on an operating systems other than Windows, the installation guidelines do not allow interactive logon.

Severity: Adobe categorizes this issue as a moderate issue and recommends that affected users make modifications to the service account as described below.

Recommendation:

The hardening process included in the documentation is not sufficient to mitigate this potential vulnerability. After completing the hardening steps described in the product README, the service account for the server (adbeserv) should be configured to restrict interactive logon. This can be accomplished through use of local security policies.

The following steps should be performed after completing installation of the server:

1. Open the Local Security Settings from the Administrative Tools control panel.

2. Select User Rights Assignment.

3. Open the Deny Logon Locally policy.

4. Add "adbeserv" to the list of user accounts that are denied the right to log on locally.

In some installations of AGS or ADS 5.0, an additional step may be necessary:

1. Open "AGS or ADS 5 root"\server\conf\wrapper.properties in a text editor.

2. Scroll to the bottom of the file.

3. Add -Xrs as an additional command line option. The revised version would look like this:

wrapper.cmd_line="$(wrapper.javabin)" -Xrs -Xmx512M -classpath "$(wrapper.class_path)" $(wrapper.startup_class) -config "$(wrapper.server_xml)" -home "$(AlterCastTomcatHome)"

4. Save the changes.

5. Restart the AlterCastDocEdition or AlterCastImageEdition service.

Acknowledgement: Adobe would like to thank Secunia for reporting this issue and for working with us to help protect the security of our customers.

Revisions: March 14, 2006 - Bulletin first created

Reporting Security Issues

Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to PSIRT@adobe.com . We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Adobe becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Adobe customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.

For additional information on security issues at Adobe, please visit the Adobe website at www.adobe.com/support/security/ .

Adobe Disclaimer

DISCLAIMER OF WARRANTIES: ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES PROVIDED BY ADOBE IN THIS BULLETIN ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ADOBE AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.

LIMIT OF LIABILITY: IN NO EVENT SHALL ADOBE, INC., OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN IF ADOBE, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.

Adobe reserves the right, from time to time, to update the information in this document with current information.

Related Documents