CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
97.9%
Wyse Device Manager (WDM) Server and HAgent contain several vulnerabilities. An attacker with network access to WDM components could execute arbitrary code on vulnerable systems.
Wyse Device Manager (WDM, formerly known as Wyse Rapport) manages thin clients. Part of the server component (HServer) is implemented as an ISAPI filter on the Microsoft Windows Internet Information Server (IIS) platform. The client component (HAgent) runs as a service on Microsoft Windows systems.
WDM components contain several vulnerabilities:
hserver.dll
) User-Agent header stack buffer overflow andhagent.exe
) heap overflow (both overflows are CVE-2009-0693)An attacker with network access to WDM components could execute arbitrary code on a vulnerable system. The attacker could also execute unauthenticated management commands on a system running HAgent.
Please see Wyse Security Bulletin WSB09-01.
Enable HTTPS
Enabling HTTPS provides authentication between Hserver and HAgent nodes. HTTPS authenticates communication from an HServer host to an HAgent host. Depending on key distribution and PKI architecture, HTTPS should prevent an unauthenticated attacker from running management commands on an HAgent host.
654545
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 04, 2009 Updated: July 23, 2009
Affected
We have not received a statement from the vendor.
Please see Wyse Security Bulletin WSB09-01.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft.
This document was written by Art Manion.
CVE IDs: | CVE-2009-0693, CVE-2009-0695 |
---|---|
Severity Metric: | 13.51 Date Public: |