Vulnerability Description
The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Symantec | Altiris Notification Server | 6.0 |
Related Weaknesses (CWE)
References
- http://osvdb.org/62010
- http://secunia.com/advisories/38356Vendor Advisory
- http://www.securityfocus.com/bid/37953
- http://www.securitytracker.com/id?1023521
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
- http://www.vupen.com/english/advisories/2010/0256
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55952
- http://osvdb.org/62010
- http://secunia.com/advisories/38356Vendor Advisory
- http://www.securityfocus.com/bid/37953
- http://www.securitytracker.com/id?1023521
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securit
- http://www.vupen.com/english/advisories/2010/0256
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55952
FAQ
What is CVE-2009-3035?
CVE-2009-3035 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on ...
How severe is CVE-2009-3035?
CVE-2009-3035 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-3035?
Check the references section above for vendor advisories and patch information. Affected products include: Symantec Altiris Notification Server.