A design error vulnerability has been identified in an ActiveX control used by the Notification Server Management Console.
The "DownloadAndInstall()" download method, which is used in the "Altiris eXpress NS SC Download" control (AeXNSPkgDLLib.dll) can allow attackers to execute arbitrary code on the targeted host.
To exploit this vulnerability, an attacker would include a specially crafted code in a website and use social engineering to entice the targeted user into visiting the malicious website.
A workaround would be to download the attached registry file (rename .txt to .reg) and merge it into the registry of any machine that has the ActiveX control installed. It will disable the ActiveX control from being loaded in Internet Explorer thereby preventing the vulnerability from being exploited. The registry file will add the following:
Applying this hotfix may impact the operation of the NS/SMP and products built using it. If you disable the control on a machine running Notification Server 6.0 you will no longer be able to use the Solution Center to install solutions.
Attached is a custom inventory script (AeXNSPkgDLLib.xml) in which you can add to your existing Inventory Task or create a new one to determine if the vulnerability exists in your environment.
You will need to add this line to your inventory INI file before the aexnsinvcollector.exe line: aexcustinv.exe /in .\AeXNSPkgDLLib.XML /out AeXNSPkgDLLib.nsi
If the Inventory task runs on the machine and the AeXNSPkgDLLib.dll exists on the machine it will create a row in the Inv_AeXNSPkgDLLib dataclass. Also, it looks for the existance of the above registry entry.
Attached is a report which will show any machine with the AeXNSPkgDLLib.dll and without the killbit registry entry to show it as being vulnerable.
The long-term fix is a corrected AeXNSPkgDLLib.dll (v18.104.22.1680 or later) file that has been added to the AltirisNSConsole.cab for NS 6.0 R12 and SMP 7.0 SP3.
Notification Server 6.x Symantec Management Platform 7.x Deployment Solution 6.9