Symantec Altiris Notification Server 6.0 < SP3 R12 Static Encryption Key

High Nessus Network Monitor Plugin ID 5330

Synopsis

The remote host is vulnerable to an information disclosure vulnerability.

Description

The remote host is running Symantec Altiris Notification Server 6.0 earlier than SP3 R12. Such versions are potentially affected by a local information disclosure vulnerability because the application uses a static encryption key for encrypted credentials entered by the administrator. An attacker, exploiting this flaw, could view unauthorized information or possibly execute code.

Solution

Upgrade to Altiris Notification Server 6.0 SP3 R12 or later.

See Also

http://www.nessus.org/u?887bac22

http://www.nessus.org/u?942c6f9b

Plugin Details

Severity: High

ID: 5330

File Name: 5330.prm

Family: CGI

Published: 2010/01/29

Modified: 2016/01/15

Dependencies: 1442

Nessus ID: 44339

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2010/01/28

Vulnerability Publication Date: 2010/01/28

Reference Information

CVE: CVE-2009-3035

BID: 37953

OSVDB: 62010