Executive Summary
Summary | |
---|---|
Title | Symantec AppStream and Workspace Streaming vulnerable to arbitrary code download and execution |
Informations | |||
---|---|---|---|
Name | VU#221257 | First vendor Publication | 2010-06-17 |
Vendor | VU-CERT | Last vendor Modification | 2010-06-18 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#221257Symantec AppStream and Workspace Streaming vulnerable to arbitrary code download and executionOverviewThe Symantec AppStream and Workspace Streaming clients fail to properly validate downloads, which can allow a remote, unauthenticated attacker to download and execute arbitrary code on a vulnerable system.I. DescriptionSymantec Workspace Streaming is a software distribution solution that "streams" applications to client desktops. Older versions of the software are known as AppStream or Altiris Streaming System. The Symantec Workspace Streaming client is configured to handle the aswe protocol. By processing an aswe:// URI, the Symantec Workspace Streaming client will download and execute applications from the specified Workspace Streaming server. The Symantec Workspace Streaming client and prior variants fail to properly authenticate with the server component of the software.II. ImpactBy convincing a user to view a specially crafted HTML document (e.g., a webpage or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. Other mechanisms for accessing the Workspace Streaming Client, e.g., via the aswe protocol handler, can have the same impact.III. SolutionApply an updateThis issue is addressed in Symantec Workspace Streaming 6.1 SP4. Please see Symantec Advisory SYM10-008 for more details.
Referenceshttp://www.cert.org/tech_tips/securing_browser/ This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/221257 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 | |
Application | 4 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
65601 | Symantec AppStream / Workspace Streaming (SWS) aswe: URI MiTM File Download A... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-06-18 | Name : The remote host has a code execution vulnerability. File : symantec_sym10-008.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:37 |
|