Symantec Altiris DS SQL injection

2013-11-18T00:00:00
ID SAINT:71F5C88BDEE46E59DE8351E5D44F74BD
Type saint
Reporter SAINT Corporation
Modified 2013-11-18T00:00:00

Description

Added: 11/18/2013
CVE: CVE-2008-2286
BID: 29198
OSVDB: 45313

Background

Altiris Deployment Solution (DS) is software for managing the configuration of machines on a network.

Problem

An SQL injection vulnerability allows remote attackers to execute arbitrary commands by sending a specially crafted notification packet to port 402/tcp.

Resolution

Apply the update referenced in SYM008-012.

References

<http://www.securityfocus.com/archive/1/492229>

Limitations

Exploit requires the tftp command-line client to exist on the target computer.

Platforms

Windows