Vulnerability in the Altiris eXpress NS SC Download ActiveX control
search cancel

Vulnerability in the Altiris eXpress NS SC Download ActiveX control

book

Article ID: 177019

calendar_today

Updated On:

Products

IT Management Suite Deployment Solution

Issue/Introduction

A design error vulnerability has been identified in an ActiveX control used by the Notification Server Management Console.

Cause

The "DownloadAndInstall()" download method, which is used in the "Altiris eXpress NS SC Download" control (AeXNSPkgDLLib.dll) can allow attackers to execute arbitrary code on the targeted host.

To exploit this vulnerability, an attacker would include a specially crafted code in a website and use social engineering to entice the targeted user into visiting the malicious website.

Resolution

A workaround would be to download the attached registry file (rename .txt to .reg) and merge it into the registry of any machine that has the ActiveX control installed. It will disable the ActiveX control from being loaded in Internet Explorer thereby preventing the vulnerability from being exploited. The registry file will add the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{63716E93-033D-48B0-8A2F-8E8473FD7AC7}]
"Compatibility Flags"=dword:00000400

Applying this hotfix may impact the operation of the NS/SMP and products built using it. If you disable the control on a machine running Notification Server 6.0 you will no longer be able to use the Solution Center to install solutions.

Attached is a custom inventory script (AeXNSPkgDLLib.xml) in which you can add to your existing Inventory Task or create a new one to determine if the vulnerability exists in your environment.

You will need to add this line to your inventory INI file before the aexnsinvcollector.exe line:
aexcustinv.exe /in .\AeXNSPkgDLLib.XML /out AeXNSPkgDLLib.nsi

If the Inventory task runs on the machine and the AeXNSPkgDLLib.dll exists on the machine it will create a row in the Inv_AeXNSPkgDLLib dataclass. Also, it looks for the existance of the above registry entry.

Attached is a report which will show any machine with the AeXNSPkgDLLib.dll and without the killbit registry entry to show it as being vulnerable.

NOTE:

The long-term fix is a corrected AeXNSPkgDLLib.dll (v6.0.0.2000 or later) file that has been added to the AltirisNSConsole.cab for NS 6.0 R12 and SMP 7.0 SP3.


Applies To

Notification Server 6.x
Symantec Management Platform 7.x
Deployment Solution 6.9 

Attachments

Report_AeXNSPkgDLLib.dll ActiveX Vulneribility.xml get_app
KillBit.txt get_app
AeXNSPkgDLLib.xml get_app
Powered by Wolken Software