CVE-2009-3028 - The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dll, as used in Symantec Altiris

CVE-2009-3028

Summary

The Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dll, as used in Symantec Altiris Deployment Solution 6.9.x, Notification Server 6.0.x, and Symantec Management Platform 7.0.x exposes an unsafe method, which allows remote attackers to force the download of arbitrary files and possibly execute arbitrary code via the DownloadAndInstall method.

References

Vulnerable Configurations

cpe:2.3:a:symantec:altiris_deployment_solution:6.9:*:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:*:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp4:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_deployment_solution:6.9:sp4:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:*:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:*:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1_hf12:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp1_hf12:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r1:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r10:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r10:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r11:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r11:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r12:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r12:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r13:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r13:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r2:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r3:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r4:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r4:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r5:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r5:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r6:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r6:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r7:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r7:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r8:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r8:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r9:*:*:*:*:*:*
cpe:2.3:a:symantec:altiris_notification_server:6.0:sp3_r9:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:*:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:*:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:rc5:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:rc5:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp1:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp2:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp3:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp4:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp4:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp5:*:*:*:*:*:*
cpe:2.3:a:symantec:management_platform:7.0:sp5:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 07-02-2013 - 04:21)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	36346
confirm	http://www.symantec.com/business/support/index?page=content&id=TECH44885 http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00
osvdb	57893
secunia	36679

saint via4

bid	36346
description	Symantec Altiris eXpress NS SC Download ActiveX control vulnerability
id	misc_av_symantec_altirisdl
osvdb	57893
title	altiris_express_ns_sc_download
type	client

Last major update

07-02-2013 - 04:21

Published

07-03-2011 - 21:00

Last modified

07-02-2013 - 04:21