Vulnerability CVE-2009-3035


Published: 2010-02-02   Modified: 2012-02-13

Description:
The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.

CVSS2 => (AV:L/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
6.4/10
3.1/10
Exploit range
Attack complexity
Authentication
Local
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Symantec -> Altiris notification server 

 References:
http://xforce.iss.net/xforce/xfdb/55952
http://www.vupen.com/english/advisories/2010/0256
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100128_00
http://www.securitytracker.com/id?1023521
http://www.securityfocus.com/bid/37953
http://secunia.com/advisories/38356
http://osvdb.org/62010

Copyright 2021, cxsecurity.com

 

Back to Top