Vulnerability in the Altiris eXpress NS SC Download ActiveX control

Article:TECH44885  |  Created: 2009-09-13  |  Updated: 2010-12-14  |  Article URL http://www.symantec.com/docs/TECH44885
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



A design error vulnerability has been identified in an ActiveX control used by the Notification Server Management Console.


Environment



Notification Server 6.x
Symantec Management Platform 7.x
Deployment Solution 6.9 


Cause



The "DownloadAndInstall()" download method, which is used in the "Altiris eXpress NS SC Download" control (AeXNSPkgDLLib.dll) can allow attackers to execute arbitrary code on the targeted host.

To exploit this vulnerability, an attacker would include a specially crafted code in a website and use social engineering to entice the targeted user into visiting the malicious website.


Solution



A workaround would be to download the attached registry file (rename .txt to .reg) and merge it into the registry of any machine that has the ActiveX control installed. It will disable the ActiveX control from being loaded in Internet Explorer thereby preventing the vulnerability from being exploited. The registry file will add the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{63716E93-033D-48B0-8A2F-8E8473FD7AC7}]
"Compatibility Flags"=dword:00000400

Applying this hotfix may impact the operation of the NS/SMP and products built using it. If you disable the control on a machine running Notification Server 6.0 you will no longer be able to use the Solution Center to install solutions.

Attached is a custom inventory script (AeXNSPkgDLLib.xml) in which you can add to your existing Inventory Task or create a new one to determine if the vulnerability exists in your environment.

You will need to add this line to your inventory INI file before the aexnsinvcollector.exe line:
aexcustinv.exe /in .\AeXNSPkgDLLib.XML /out AeXNSPkgDLLib.nsi

If the Inventory task runs on the machine and the AeXNSPkgDLLib.dll exists on the machine it will create a row in the Inv_AeXNSPkgDLLib dataclass. Also, it looks for the existance of the above registry entry.

Attached is a report which will show any machine with the AeXNSPkgDLLib.dll and without the killbit registry entry to show it as being vulnerable.

NOTE:

The long-term fix is a corrected AeXNSPkgDLLib.dll (v6.0.0.2000 or later) file that has been added to the AltirisNSConsole.cab for NS 6.0 R12 and SMP 7.0 SP3.




Legacy ID



49069


Article URL http://www.symantec.com/docs/TECH44885


Terms of use for this information are found in Legal Notices