Release Date: March 14, 2006

Vulnerability Identifier: CVE-2006-1182

Products: Adobe Graphics Server 2.0, 2.1 (formerly AlterCast), Adobe Document Server 5.0, 6.0

Platform: Windows

Overview: Adobe has been made aware of a potential security vulnerability in the recommended configuration of Adobe Graphics Server and Adobe Document Server on the Windows operating system. This potential security vulnerability might enable execution of code on servers that are accessed through interactive logon.

Effect: If exploited, this vulnerability would allow an anonymous user to place code onto the server that is then run as the interactive user at the time they log on. Depending on the configuration of the server, this could be an administrative user.

Details: The installation documentation describes a server configuration that uses a low privilege service account. Adobe is aware of a potential vulnerability that exists even when the product is installed following this best practice. In the configuration described in the installation documentation, it may be possible to exploit this vulnerability if a user interactively logs into the Adobe Server service account.

In the default configuration, where the Adobe Server is installed as SYSTEM, it may be possible to exploit this potential vulnerability if anyone logs into the server interactively.

This potential vulnerability is mitigated in most environments because interactive logon to systems running Adobe Graphics Server or Adobe Document Server is not a common user behavior. For a server configured following the installation documented with the product, no workflow requires interactive logon to the service account. Also, if the server is installed on an operating systems other than Windows, the installation guidelines do not allow interactive logon.

Severity: Adobe categorizes this issue as a moderate issue and recommends that affected users make modifications to the service account as described below.

Recommendation:

The hardening process included in the documentation is not sufficient to mitigate this potential vulnerability. After completing the hardening steps described in the product README, the service account for the server (adbeserv) should be configured to restrict interactive logon. This can be accomplished through use of local security policies.

The following steps should be performed after completing installation of the server:

1. Open the Local Security Settings from the Administrative Tools control panel.

2. Select User Rights Assignment.

3. Open the Deny Logon Locally policy.

4. Add “adbeserv” to the list of user accounts that are denied the right to log on locally.

In some installations of AGS or ADS 5.0, an additional step may be necessary:

1. Open “AGS or ADS 5 root”serverconfwrapper.properties in a text editor.

2. Scroll to the bottom of the file.

3. Add -Xrs as an additional command line option. The revised version would look like this:

wrapper.cmd_line=”$(wrapper.javabin)” -Xrs -Xmx512M -classpath “$(wrapper.class_path)” $(wrapper.startup_class) -config “$(wrapper.server_xml)” -home “$(AlterCastTomcatHome)”

4. Save the changes.

5. Restart the AlterCastDocEdition or AlterCastImageEdition service.

Acknowledgement: Adobe would like to thank Secunia for reporting this issue and for working with us to help protect the security of our customers.

Revisions: March 14, 2006 – Bulletin first created

Reporting Security Issues

Adobe is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Adobe product, please send an email to PSIRT@adobe.com . We will work to appropriately address and communicate the issue.

Receiving Security Bulletins

When Adobe becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Adobe customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service.