漏洞类别:Local
漏洞等级: 
漏洞信息
Dell Active Roles (now Quest Active Roles) Server gives Active Directory administrators all the tools necessary to securely and efficiently manage Active Directory, overcoming the native shortcomings of AD and automates the most common AD administration tasks.
Dell Active Roles uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
Affected Versions:
Dell Active Roles version 7.0
Dell Active Roles version 7.0.2
Dell Active Roles version 7.0.3
Dell Active Roles version 7.0.4
Dell Active Roles version 7.1
QID Detection Logic (Authenticated):
This QID gets the vulnerable version of Active Roles from Windows registry and also checks if 'ActiveRoles.Common.dll' is present on the system.
漏洞危害
An authenticated local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges on the system.
解决方案
Customers are advised to upgrade to Active Roles 7.2.
Workaround:
To fix the Active Roles Administration Service:
A. Open Windows Services Management console, stop the Active Roles Administration Service.
B. Open an administrator Command Prompt, run the below command.
For version 7.0
sc config ARAdminSvc binPath=""C:\Program Files\Dell\Active Roles.0\Service\arssvc.exe""
For version 7.1
sc config ARAdminSvc binPath=""C:\Program Files\Dell\Active Roles.1\Service\arssvc.exe""
C. From the Windows Service Management console, start the Active Roles Administration Service.
To fix the Active Roles Synchronization Service:
A. Open Windows Services Management console, stop the Active Roles Synchronization Service.
B. Open an administrator Command Prompt, run the below command.
For version 7.0
sc config arsyncsvc binPath=""C:\Program Files\Dell\Active Roles.0\SyncService\SyncService.exe""
For version 7.1
sc config arsyncsvc binPath=""C:\Program Files\Dell\Active Roles.1\SyncService\SyncService.exe""
C. From the Windows Service Management console, start the Active Roles Synchronization Service.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论