Stopping Exploits of Symantec SAVCE 10.x AMS

Publicly available exploits exist (e.g. GLEG pack for Immunity CANVAS) for versions Symantec AMS (Alert Management System) from 10.1.8.8000 and below. For each affected server you have, you need to either need to disable AMS, uninstall it, or upgrade SAVCE 10.x to a patched version. Symantec AMS is an optional part of a SAVCE 10.x server installation that allows the SAV server to send email alerts and pages when events of interest happen. Disabling AMS doesn’t break reporting or any other function of SAVCE.

I recommend simply stopping and disabling the AMS services:
“Intel Alert Handler”
“Intel Alert Orginator”
“Intel File Transfer”
(Leave the “Intel PDS” service running. It is needed for normal operation of SAV10. It is the Intel Ping Discovery Service which the Parent Server and Symantec System Center use to discover SAV parent servers).

References:
http://seclists.org/fulldisclosure/2010/Jul/364 (the offending bug in SAVCE)
http://seclists.org/dailydave/2011/q2/36 (announcement of GLEG pack exploit for Immunity CANVAS)
http://partners.immunityinc.com/movies/gleg-symantecams.zip (video showing how exploits of this bug work against vulnerable servers)
http://www.symantec.com/business/support/index?page=content&id=TECH101301&locale=en_US if you want to totally uninstall AMS

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Leave a Reply