-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0056
                 RealNetworks Helix Server Security Fixes
                               12 April 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              RealNetworks Helix Server
                      RealNetworks Helix Mobile Server
Operating System:     Red Hat
                      Solaris
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Existing Account            
                      Access Privileged Data          -- Existing Account            
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-1985 CVE-2012-1984 CVE-2012-1923
                      CVE-2012-0942  
Member content until: Saturday, May 12 2012

OVERVIEW

        Multiple vulnerabilities have been fixed in version 14.3.x Helix Server
        and Helix Mobile Server.


IMPACT

        RealNetworks has the following information:
        
        "CVE-2012-1923 ... multiple vulnerabilities in RealNetworks Helix
        Server, which can be exploited by malicious, local users to
        disclose sensitive information and by malicious people to cause a DoS
        (Denial of Service)."
        
        "CVE-2012-0942:
        RealNetworks Helix Server rn5auth Crednetial Parsing Remote Code
        Execution Vulnerability.
        
        A bug exists in the code which parses authentication credentials and
        allows for a buffer overflow."
        
        "CVE-2012-1984 ... vulnerable to multiple cross site scripting
        vulnerabilities."
        
        "CVE-2012-1985 ... contains a flaw where a malformed URL can cause the
        server process to crash. ...an attacker would have to leverage a cross-
        site request forgery (csrf) attack in order to trick the administrator
        in to load the malformed URL." [1]


MITIGATION

        Users should upgrade to versions 14.3.x. [1]


REFERENCES

        [1] RealNetworks is making available product upgrades that contain
            security bug fixes
            http://helixproducts.real.com/docs/security/SecurityUpdate04022012HS.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT4YpZO4yVqjM2NGpAQKs0RAAtl0byaTCmugFYTEZpOpIu9TRHuu7B5vF
bcYASHXUh24bVbCic7iqBG0f/+3Jpo12tucQlxOv4rf7mJ7+Zzh3jUVQZi0dXhVV
PQxNTERYtDQItNn1SgtPNejTkkrFlUdVOV97uBzpFoHEi/y7ytbcEbCB5V3Ahynd
tGNdowKBrjhZlR+xIz3siFGjTl/NBQvfrDWASdwWXD0P/WFFZj4P539dTArotIwW
lPeTxx6KMEVPoC9xaqiTmAKw4vNaXVXb/dUQfZn0437oHaopaP5Ln/yfgZQMmMrP
ODuhz3ZlYxZVpnqP4Z+x8JFv1/3Aln6HJBOJ16u8zKk9yy96HySBFRUALafQi5FA
RMKyEjjrWnFK2d4a1AXCwq0lpaLPN1Cr50cqRu84sEwRNWWCkxaoKySMNt8Fuf/x
n5SU+oD4cPHXcPlqHwlEcCTZpd5sZovgMV3XuHzwQ3iddE0s8jA8leOSlPzHMIZf
5Ttp5mF97keL7Ny/gEdLmoR9HVnIMLbDSY92kIy9+vch21NQ/NIwknqRjfvM/KTV
nmznpO3CTA5Yp33Dipjx+p1sfk8T9Y8R5ihU8Ab+HgrDsPJJQ5aZwXsMHa4fm+q1
+E6K78gd1omCgKPibFiiIkuLKODsdE4L+Qzt0ySsM7WzeNqhQW+VLcvEIXq4SBsW
IFQ9bZwLgyQ=
=9zzJ
-----END PGP SIGNATURE-----