CVE-2009-3035

The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.

Published: Feb 2, 2010
Updated: Apr 13, 2023
CVE: CVE-2009-3035
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:L/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-255

Affected Software
References

Software	From	Fixed in
symantec / altiris_notification_server	6.0-sp3	6.0-sp3.x
symantec / altiris_notification_server	6.0-sp3_r7	6.0-sp3_r7.x
symantec / altiris_notification_server	6.0-sp2	6.0-sp2.x
symantec / altiris_notification_server	6.0-sp3_r8	6.0-sp3_r8.x
symantec / altiris_notification_server	6.0	6.0.x
symantec / altiris_notification_server	6.0-sp1	6.0-sp1.x

http://osvdb.org/62010
http://secunia.com/advisories/38356
http://www.securityfocus.com/bid/37953
http://www.securitytracker.com/id?1023521
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100128_00
http://www.vupen.com/english/advisories/2010/0256
https://exchange.xforce.ibmcloud.com/vulnerabilities/55952

Vulnerability Database

290,206

CVE-2009-3035