Two days ago, Symantec posted security advisory SM09-015 -Symantec Altiris Deployment Solution and Notification Server Management Web Console Browse and Save File ActiveX Overflow. This vulnerability announcement refers to activeX controls downloaded when accessing the web consoles for Notification Server and Deployment Server. These activeX controls have buffer overflow vulnerabilities which can be exploited should any Altiris Administrator/Worker (who uses the web consoles) visit a malicious website, or possibly open a maliciously crafted HTML email which calls the control. The vulnerability potentially allows unauthorised code execution within the security context of the user's browser. Although the number of machines hosting these vulnerable DLLs is reserved to computers Altiris Administrators and Workers use for web administration of Deployment and Notification Server, please note that Symantec have posted this with a HIGH severity rating. Although Symantec are not aware of any sites being compromised, proof of concept code *has been published*. To help, I've summarised below the Deployment Server and Notification Server vulnerability details. Deployment Server For Deployment Server administrators, for you to be vulnerable you must have installed the Deployment Server's web console. Computers which have have accessed the web console will have downloaded these vulnerable activeX controls. The Win32 console users are unaffected. Remediation Advice To completely resolve this issue, Deployment Server's with the web console installed need to be upgraded to DS 6.9 SP3. The AltirisNSConsole.cab file then needs to be replaced and the vulnerable controls deleted from your workstations. The details are here, https://kb.altiris.com/article.asp?article=49568&p=1 However, I do not recommend rushing to upgrade your Altiris Infrastructure. Upgrading you Altiris Infrastructure should always be done with due care and testing, so I would consider the following interim measures; 1) Delete the vulnerable AltirisNSConsole.cab from "C:\Program Files\Altiris\eXpress\Deployment Web Console\DSWeb\utils" on the server. This will prevent these controls from downloading again. 2) Delete the vulnerable files using the ActiveXCleanup.vbs in the above article on computers you've used to access the DS Web Console It is entirely possible that lower versions of DS can be fixed by replacing the vulnerable cabinet file, but this is untested at this time. Notification Server Unfortunately Notification Server 6.0 through to the bleeding edge 7.0 branch are affected. Only computers which have accessed the Notification Server web console will have downloaded these vulnerable activeX controls. Remediation Advice Although Notification Server rollup R12 for NS 6.0SP3 contains the patched activeX controls, this is not as yet available for general release. Note also that SP3 for NS7 which fixes this problem is also not available on general release either. I therefore recommend you follow the steps in the article below to replace the cab file containing the vulnerable controls, https://kb.altiris.com/article.asp?article=49389&p=1 The patched controls will be downloaded on the next visit to the web console. Kind Regards, Ian./
Two days ago, Symantec posted security advisory SM09-015 -Symantec Altiris Deployment Solution and Notification Server Management Web Console Browse and Save File ActiveX Overflow. This vulnerability announcement refers to activeX controls downloaded when accessing the web consoles for Notification Server and Deployment Server. These activeX controls have buffer overflow vulnerabilities which can be exploited should any Altiris Administrator/Worker (who uses the web consoles) visit a malicious website, or possibly open a maliciously crafted HTML email which calls the control. The vulnerability potentially allows unauthorised code execution within the security context of the user's browser.
Although the number of machines hosting these vulnerable DLLs is reserved to computers Altiris Administrators and Workers use for web administration of Deployment and Notification Server, please note that Symantec have posted this with a HIGH severity rating. Although Symantec are not aware of any sites being compromised, proof of concept code *has been published*.
To help, I've summarised below the Deployment Server and Notification Server vulnerability details.
For Deployment Server administrators, for you to be vulnerable you must have installed the Deployment Server's web console. Computers which have have accessed the web console will have downloaded these vulnerable activeX controls. The Win32 console users are unaffected.
Remediation Advice
To completely resolve this issue, Deployment Server's with the web console installed need to be upgraded to DS 6.9 SP3. The AltirisNSConsole.cab file then needs to be replaced and the vulnerable controls deleted from your workstations. The details are here,
https://kb.altiris.com/article.asp?article=49568&p=1
However, I do not recommend rushing to upgrade your Altiris Infrastructure. Upgrading you Altiris Infrastructure should always be done with due care and testing, so I would consider the following interim measures;
1) Delete the vulnerable AltirisNSConsole.cab from "C:\Program Files\Altiris\eXpress\Deployment Web Console\DSWeb\utils" on the server. This will prevent these controls from downloading again.
2) Delete the vulnerable files using the ActiveXCleanup.vbs in the above article on computers you've used to access the DS Web Console
It is entirely possible that lower versions of DS can be fixed by replacing the vulnerable cabinet file, but this is untested at this time.
Unfortunately Notification Server 6.0 through to the bleeding edge 7.0 branch are affected. Only computers which have accessed the Notification Server web console will have downloaded these vulnerable activeX controls.
Although Notification Server rollup R12 for NS 6.0SP3 contains the patched activeX controls, this is not as yet available for general release. Note also that SP3 for NS7 which fixes this problem is also not available on general release either. I therefore recommend you follow the steps in the article below to replace the cab file containing the vulnerable controls, https://kb.altiris.com/article.asp?article=49389&p=1
The patched controls will be downloaded on the next visit to the web console.
Kind Regards, Ian./