Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0056 RealNetworks Helix Server Security Fixes 12 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: RealNetworks Helix Server RealNetworks Helix Mobile Server Operating System: Red Hat Solaris Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-1985 CVE-2012-1984 CVE-2012-1923 CVE-2012-0942 Member content until: Saturday, May 12 2012 OVERVIEW Multiple vulnerabilities have been fixed in version 14.3.x Helix Server and Helix Mobile Server. IMPACT RealNetworks has the following information: "CVE-2012-1923 ... multiple vulnerabilities in RealNetworks Helix Server, which can be exploited by malicious, local users to disclose sensitive information and by malicious people to cause a DoS (Denial of Service)." "CVE-2012-0942: RealNetworks Helix Server rn5auth Crednetial Parsing Remote Code Execution Vulnerability. A bug exists in the code which parses authentication credentials and allows for a buffer overflow." "CVE-2012-1984 ... vulnerable to multiple cross site scripting vulnerabilities." "CVE-2012-1985 ... contains a flaw where a malformed URL can cause the server process to crash. ...an attacker would have to leverage a cross- site request forgery (csrf) attack in order to trick the administrator in to load the malformed URL." [1] MITIGATION Users should upgrade to versions 14.3.x. [1] REFERENCES [1] RealNetworks is making available product upgrades that contain security bug fixes http://helixproducts.real.com/docs/security/SecurityUpdate04022012HS.pdf AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT4YpZO4yVqjM2NGpAQKs0RAAtl0byaTCmugFYTEZpOpIu9TRHuu7B5vF bcYASHXUh24bVbCic7iqBG0f/+3Jpo12tucQlxOv4rf7mJ7+Zzh3jUVQZi0dXhVV PQxNTERYtDQItNn1SgtPNejTkkrFlUdVOV97uBzpFoHEi/y7ytbcEbCB5V3Ahynd tGNdowKBrjhZlR+xIz3siFGjTl/NBQvfrDWASdwWXD0P/WFFZj4P539dTArotIwW lPeTxx6KMEVPoC9xaqiTmAKw4vNaXVXb/dUQfZn0437oHaopaP5Ln/yfgZQMmMrP ODuhz3ZlYxZVpnqP4Z+x8JFv1/3Aln6HJBOJ16u8zKk9yy96HySBFRUALafQi5FA RMKyEjjrWnFK2d4a1AXCwq0lpaLPN1Cr50cqRu84sEwRNWWCkxaoKySMNt8Fuf/x n5SU+oD4cPHXcPlqHwlEcCTZpd5sZovgMV3XuHzwQ3iddE0s8jA8leOSlPzHMIZf 5Ttp5mF97keL7Ny/gEdLmoR9HVnIMLbDSY92kIy9+vch21NQ/NIwknqRjfvM/KTV nmznpO3CTA5Yp33Dipjx+p1sfk8T9Y8R5ihU8Ab+HgrDsPJJQ5aZwXsMHa4fm+q1 +E6K78gd1omCgKPibFiiIkuLKODsdE4L+Qzt0ySsM7WzeNqhQW+VLcvEIXq4SBsW IFQ9bZwLgyQ= =9zzJ -----END PGP SIGNATURE-----