Environment
Novell ZENworks Configuration Management 11.2.3a System
Update
Novell ZENworks Configuration Management 11.2.4 System Update
Novell ZENworks Configuration Management 11.3 System Update
Novell ZENworks Configuration Management 11.2.4 System Update
Novell ZENworks Configuration Management 11.3 System Update
Situation
Upgrade or an Uninstall of the ZENworks agent on Windows 8 and
Windows 2012 devices has the potential to make the device un-usable
for a particular scenario.
Resolution
The custom action “ZenNotifyCustomAction.exe†has been fixed with
corrected logic to detect and accommodate this scenario. This
change was made in the novell-zenworks-zennotifyicon.msi,
specifically the ZenNotifyIconCustomAction.exe.
ZENworks 11.3.0a (ZENworks11SP3a.iso) has been released that is pre-patched with this fix for new installations or upgrades.
ZENworks 11.3.0a Windows 8.1 has been provided that contains this patch and adds support for Windows 8.
The fix is also contained as part of FTF Roll Up 1 for ZENworks (11 SP3):
Novell has made a Patch available for testing, as part of an FTF Roll Up patches collection: it can be obtained at https://download.novell.com/Download?buildid=6c6917CRv6U~ as "FTF Roll Up 1 for ZENworks (11 SP3)". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Additional individual FTFs have been provided for affected ZCM versions that includes this fix in the form of a deployment via system update or bundle assignment.
ZCM_11.2.3a_Patch_841566.zip for agents currently running 11.2.3a
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.2.3.36725
ZCM_11.2.4_Patch_841566.zip for agents currently running 11.2.4
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.2.4.36709
ZCM_11.3.0_Patch_841566.zip for agents currently running 11.3.0
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.3.0.36694.
ZCM_11.3.0_WIN8.1_Patch_841566.zip for agents currently running 11.3.0 and have already applied ZENworks 11.3 Windows 8.1 Update
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.3.0.36696.
also see additional Information below
ZENworks 11.3.0a (ZENworks11SP3a.iso) has been released that is pre-patched with this fix for new installations or upgrades.
ZENworks 11.3.0a Windows 8.1 has been provided that contains this patch and adds support for Windows 8.
The fix is also contained as part of FTF Roll Up 1 for ZENworks (11 SP3):
Novell has made a Patch available for testing, as part of an FTF Roll Up patches collection: it can be obtained at https://download.novell.com/Download?buildid=6c6917CRv6U~ as "FTF Roll Up 1 for ZENworks (11 SP3)". This update should only be applied if the symptoms above are being experienced, and are causing problems.
Please report any problems encountered when using this Patch, by using the feedback link on this TID.
Additional individual FTFs have been provided for affected ZCM versions that includes this fix in the form of a deployment via system update or bundle assignment.
ZCM_11.2.3a_Patch_841566.zip for agents currently running 11.2.3a
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.2.3.36725
ZCM_11.2.4_Patch_841566.zip for agents currently running 11.2.4
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.2.4.36709
ZCM_11.3.0_Patch_841566.zip for agents currently running 11.3.0
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.3.0.36694.
ZCM_11.3.0_WIN8.1_Patch_841566.zip for agents currently running 11.3.0 and have already applied ZENworks 11.3 Windows 8.1 Update
A device has been correctly updated if the file "%ZENWORKS_HOME%\bin\ZenNotifyIconCustomAction.exe" has the version 11.3.0.36696.
also see additional Information below
Cause
When updating or uninstalling the ZENworks Agent, if the
%systemroot% environment variable resolves to any string other than
<System drive>:\Windows\(case-sensitive), where the
system drive is C, D or any other drive, depending on where the
operating system is installed, all files under the
"\Windows\System32" folder might get deleted, and the device might
become unusable.
Details:
During System Update or Uninstall of the ZENworks Agent (specifically novell-zenworks-zennotifyicon.msi), ZENworks executes a piece of code, here after called as “ZenNotifyCustomAction†that could potentially delete all the files from <SystemDrive>:\Windows\System32 folder if the environment variable %systemroot% resolves to any string other than “<SystemDrive>:\Windows.â€
In most cases, the drive always resolves to above case i.e “<SystemDrive>:\Windowsâ€, but considering that Windows 8 Operating System could be installed in various modes by 3rd parties, OEM vendors, Win7 Upgrades etc, this assumption has been invalidated and thus exposing the problem. The chances of running into this problem is very rare. The problem code in “ZenNotifyCustomAction.exe†has been in the field since 11.2.3 (April 2013) and the visibility of this problem has not been very high. Regardless, customers moving to Windows 8 should take precaution and use one of the resolution mechanisms to make sure they are covered for this scenario.
Important Consideration: After upgrading or installing a new device that will be running Windows 8 or Windows 2012 it is necessary to reapply the FTF for its respective release. For example, going from 11.2.3a to 11.2.4 would require you to push the 11.2.4 FTF afterwards.
Details:
During System Update or Uninstall of the ZENworks Agent (specifically novell-zenworks-zennotifyicon.msi), ZENworks executes a piece of code, here after called as “ZenNotifyCustomAction†that could potentially delete all the files from <SystemDrive>:\Windows\System32 folder if the environment variable %systemroot% resolves to any string other than “<SystemDrive>:\Windows.â€
In most cases, the drive always resolves to above case i.e “<SystemDrive>:\Windowsâ€, but considering that Windows 8 Operating System could be installed in various modes by 3rd parties, OEM vendors, Win7 Upgrades etc, this assumption has been invalidated and thus exposing the problem. The chances of running into this problem is very rare. The problem code in “ZenNotifyCustomAction.exe†has been in the field since 11.2.3 (April 2013) and the visibility of this problem has not been very high. Regardless, customers moving to Windows 8 should take precaution and use one of the resolution mechanisms to make sure they are covered for this scenario.
Important Consideration: After upgrading or installing a new device that will be running Windows 8 or Windows 2012 it is necessary to reapply the FTF for its respective release. For example, going from 11.2.3a to 11.2.4 would require you to push the 11.2.4 FTF afterwards.
Additional Information
Most customers who have the potential of being impacted by this
problem will have two situations to understand.
1. New deployments that will need to have the fix pre-installed in the updates.
2. Currently deployed machines which have the vulnerable executable and need to be patched.
New Deployment
New installations should be installed using the ZENworks 11.3.0a ISO which has been pre-patched and can be deployed to new devices without other requirements.
New Windows 8 agent deployments can use the "ZENworks_11.3.0a_Windows8.1_Update.zip", which incorporates this fix in addition to the support for Windows 8.
New 11.2.3a, 11.2.4, 11.3.0 agents that will be deployed via system update should have the respective patch integrated using the "zman surp" command, which will pre-patch the system update being deployed.
Current\Existing Deployment
Existing 11.3.0 deployment with or without Windows Windows8.1_Update.zip installed can be updated with ZENworks_11.3.0_FTFRollUp1.zip.
Alternatively existing 11.3.0 deployments will need to be updated by using the FTF "ZCM_11.3.0_Patch_841566.zip" or existing 11.3.0 deployments that already have the Windows8.1_Update.zip installed should use the FTF "ZCM_11.3.0_WIN8.1_Patch_841566.zip"
Existing 11.2.4 and 11.2.4_MU1 deployments will need to be updated by using the FTF "ZCM_11.2.4_Patch_841566.zip"
Existing 11.2.3a and 11.2.3a_MU1 deployments will need to be updated by using the FTF "ZCM_11.2.3a_Patch_841566.zip"
1. New deployments that will need to have the fix pre-installed in the updates.
2. Currently deployed machines which have the vulnerable executable and need to be patched.
New Deployment
New installations should be installed using the ZENworks 11.3.0a ISO which has been pre-patched and can be deployed to new devices without other requirements.
New Windows 8 agent deployments can use the "ZENworks_11.3.0a_Windows8.1_Update.zip", which incorporates this fix in addition to the support for Windows 8.
New 11.2.3a, 11.2.4, 11.3.0 agents that will be deployed via system update should have the respective patch integrated using the "zman surp" command, which will pre-patch the system update being deployed.
Current\Existing Deployment
Existing 11.3.0 deployment with or without Windows Windows8.1_Update.zip installed can be updated with ZENworks_11.3.0_FTFRollUp1.zip.
Alternatively existing 11.3.0 deployments will need to be updated by using the FTF "ZCM_11.3.0_Patch_841566.zip" or existing 11.3.0 deployments that already have the Windows8.1_Update.zip installed should use the FTF "ZCM_11.3.0_WIN8.1_Patch_841566.zip"
Existing 11.2.4 and 11.2.4_MU1 deployments will need to be updated by using the FTF "ZCM_11.2.4_Patch_841566.zip"
Existing 11.2.3a and 11.2.3a_MU1 deployments will need to be updated by using the FTF "ZCM_11.2.3a_Patch_841566.zip"