1. CVE-Search
  2. CVE-2009-3035
ID CVE-2009-3035
Summary The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.
References
Vulnerable Configurations
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:sp2:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3:*:*:*:*:*:*
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r7:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r7:*:*:*:*:*:*
  • cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r8:*:*:*:*:*:*
    cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r8:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 17-08-2017 - 01:31)
Impact:
Exploitability:
CWE CWE-255
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:L/AC:L/Au:S/C:P/I:P/A:P
refmap via4
bid 37953
confirm http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100128_00
osvdb 62010
sectrack 1023521
secunia 38356
vupen ADV-2010-0256
xf symantec-ans-key-unauth-access(55952)
Last major update 17-08-2017 - 01:31
Published 02-02-2010 - 16:30
Last modified 17-08-2017 - 01:31
Back to Top