Novell ZENworks Configuration Management AdminStudio Remote Code Execution Vulnerabilities

http://www.securityfocus.com/bid/50274

Security Info

Bugtraq ID:	50274
Class:	Design Error
CVE:	CVE-2011-2657
Remote:	Yes
Local:	No
Published:	Oct 19 2011 12:00AM
Updated:	Jul 10 2012 08:02AM
Credit:	TippingPoint
Vulnerable:	Novell ZENworks Configuration Management 11.1 Novell ZENworks Configuration Management 10.3 Novell ZENworks Configuration Management 10.2

Not Vulnerable:

Security Discussion

Novell ZENworks Configuration Management is prone to multiple remote code-execution vulnerabilities.

Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application (typically Internet Explorer) using the ActiveX control. Failed exploit attempts likely result in denial-of-service conditions.

Proof of Concept and Security Exploits

The following exploit is available:

/data/vulnerabilities/exploits/50274.rb

Security Solution(s)

Solution:
Vendor updates are available. Please see the references for more information.

Security References(s)

References:

Novell Homepage (Novell)
Security Vulnerabilities with ZENworks Admin Studio version (Novell)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services