CVE-2008-3703

Currently unrated

Key Information:

Vendor: Symantec
Status: Veritas Storage Foundation
Vendor: CVE Published:; 18 August 2008

Summary

The management console in the Volume Manager Scheduler Service (aka VxSchedService.exe) in Symantec Veritas Storage Foundation for Windows (SFW) 5.0, 5.0 RP1a, and 5.1 accepts NULL NTLMSSP authentication, which allows remote attackers to execute arbitrary code via requests to the service socket that create "snapshots schedules" registry values specifying future command execution. NOTE: this issue exists because of an incomplete fix for CVE-2007-2279.

References

http://secunia.com/advisories/31486

third-party-advisoryx_refsource_SECUNIA

http://www.securityfocus.com/archive/1/495481

mailing-listx_refsource_BUGTRAQ

http://www.zerodayinitiative.com/advisories/ZDI-08-053/

x_refsource_MISC

EPSS Score

93% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Aug 18, 2008
Vulnerability Reserved
Aug 18, 2008