AuthLite Upgrade Advisory #1
Overview
On November 11, 2013, Collective Software discovered and fixed a potential information disclosure bug of moderate impact, that could ultimately be used to launch privilege escalation attacks against an affected AuthLite installation and its domain users. This issue can only impact customers who have AuthLite deployed in their Active Directory.
To eliminate the potential for information disclosure in your AuthLite deployment, every customer using AuthLite in their domain should take one of the following steps as soon as possible:
- For AuthLite 2.0 users: Install version 2.0.33 or later from AuthLite.com.
- For AuthLite 1.x users: Install version 1.2.28 or later from AuthLite.com.
If you require further details, or assistance with installing the upgrade, please open a Support Request from our Support page.
Common Questions and Answers
Should I upgrade from v1.x to version 2?
No, you should probably just update to the latest 1.2 build. Version 2 is a much more complex product and a proper upgrade requires a substantial amount of planning, configuration, and testing. We even offer professional services just to help with this. In short, it's not something to be undertaken lightly.
My Replay Windows stopped working after the update, what happened?
Thanks to a customer report we discovered a bug introduced in 2.0.30 that made previous replay window settings fail until they were re-saved in the configuration. We fixed this issue in 2.0.33. You could work around the issue by going into each replay window setting and re-applying the settings. Contact Support if you need assistance.
Where do I have to install the update?
Install the updated software on all Domain Controllers that currently have AuthLite installed.
Was this issue remotely exploitable?
No, this issue required an attacker to be inside your organization's network.
Where was information potentially disclosed?
Information could only potentially be disclosed within your organization's network. There was no exposure outside the network.
Could any information be exposed anonymously?
No, only authenticated domain users could have access to this data.