Deployment Solution

 View Only

Heads Up: ActiveX Vulnerability in Notification and Deployment Server 

Nov 04, 2009 07:37 AM

Two days ago, Symantec posted security advisory SM09-015 -Symantec Altiris Deployment Solution and Notification Server Management Web Console Browse and Save File ActiveX Overflow.

This vulnerability announcement refers to activeX controls downloaded when accessing the web consoles for Notification Server and Deployment Server. These activeX controls have buffer overflow vulnerabilities which can be exploited should any Altiris Administrator/Worker (who uses the web consoles) visit a malicious website, or possibly open a maliciously crafted HTML email which calls the control. The vulnerability potentially allows unauthorised code execution within the security context of the user's browser.

Although the number of machines hosting these vulnerable DLLs is reserved to computers Altiris Administrators and Workers use for web administration of Deployment and Notification Server, please note that Symantec have posted this with a HIGH severity rating. Although Symantec are not aware of any sites being compromised, proof of concept code *has been published*.

To help, I've summarised below the Deployment Server and Notification Server vulnerability details.
 

Deployment Server

For Deployment Server administrators, for you to be vulnerable you must have installed the Deployment Server's web console. Computers which have have accessed the web console will have downloaded these vulnerable activeX controls. The Win32 console users are unaffected.

Remediation Advice

To completely resolve this issue, Deployment Server's with the web console installed need to be upgraded to DS 6.9 SP3. The AltirisNSConsole.cab file then needs to be replaced and the vulnerable controls deleted from your workstations. The details are here,

 https://kb.altiris.com/article.asp?article=49568&p=1

However, I do not recommend rushing to upgrade your Altiris Infrastructure. Upgrading you Altiris Infrastructure should always be done with due care and testing, so I would consider the following interim measures;

1) Delete the vulnerable AltirisNSConsole.cab from "C:\Program Files\Altiris\eXpress\Deployment Web Console\DSWeb\utils" on the server. This will prevent these controls from downloading again.

2) Delete the vulnerable files using the ActiveXCleanup.vbs in the above article on computers you've used to access the DS Web Console

It is entirely possible that lower versions of DS can be fixed by replacing the vulnerable cabinet file, but this is untested at this time.
 

Notification Server

Unfortunately Notification Server 6.0 through to the bleeding edge 7.0 branch are affected. Only computers which have accessed the Notification Server web console will have downloaded these vulnerable activeX controls.

Remediation Advice

Although Notification Server rollup R12 for NS 6.0SP3 contains the patched activeX controls, this is not as yet available for general release. Note also that SP3 for NS7 which fixes this problem is also not available on general release either. I therefore recommend you follow the steps in the article below to replace the cab file containing the vulnerable controls,

https://kb.altiris.com/article.asp?article=49389&p=1

The patched controls will be downloaded on the next visit to the web console.

Kind Regards,
Ian./

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Jan 20, 2010 12:21 PM

The controls should be listed in the %WINDIR%\Downloaded Program Files folder and you can remove it from there (of course IE should be closed).  Just right-click the "AeXMenuCtrl Class" and choose Remove (you might be able to use "Update" to pull the new controls too, not sure...).

If that doesn't work, as Ian suggests you can try browsing in a CMD prompt to the same directory and remove the .ocx and .dll files from there (actually it looks like they may be installed to the \system32 directory: AeXMenuCtrlLib.dll, AeXNSConsoleUtilities.dll, AeXNSPkgDLLib.dll, AeXTreeCtrlLib.dll).

Jan 09, 2010 03:04 PM

 Hi,

You could track down all the ocx's which get dumped down and registered (take a snapshot on a clean computer of the files laid down when IE runs the installer from NS).

I took the easy option and just mailed out to the techhies that they would be prompted for a mandatory reboot following the upgrade.. ;-)

Kind Regards,
Ian./

Jan 08, 2010 11:35 AM

Hello,

after I installed R12 on NS 6.0 SP3 R11, when I start the NS Console on the NS, it installs ActiveX that requires a reboot.

I tried to reboot the NS before getting in the console and I also tried to run "D:\Program Files\Altiris\Notification Server\NSCap\Bin\Win32\X86\NS CAB Installer Package\AltirisNSCABInstaller.exe"  and rebooted but every time, when I start the NS console for the first time, it installs the ActiveX and ask for a reboot.

Is there an other way to force the ActiveX update other than starting the NS Console?

RJ

Jan 07, 2010 04:35 PM

The link to the Knowledge Base article is no longer available to the public. The vulnerability fix has been incorporated into the R12 update for Notification Server 6.0 SP3 and Symantec Management Platform 7.0 SP3. Both of these updates are available either through the Solution Center or SIM.

If for some reason you are unable to apply either of these updates to your environment you will need to contact Technical Support to aquire the update.

Jan 07, 2010 03:19 PM

Hello,

Am I the only one that cannot access https://kb.altiris.com/article.asp?article=49389&p=1?

I get a "Error: You do not have permissions to view article 49389. Please return to the Customer Portal. " error message.

RJ

Dec 30, 2009 05:46 AM

Yep, I'm afraid so! 

Dec 30, 2009 12:17 AM

Thanks ianatkin,

I assume that https://kb.altiris.com/article.asp?article=50072&p=1
is yet another Active-X flaw and needs to be installed on systems running R12 as well.

Related Entries and Links

No Related Resource entered.