{"vuid":"VU#654545","idnumber":"654545","name":"Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities","keywords":["wyse","wdm","hagent","tftp32d","tftp","rapport"],"overview":"Wyse Device Manager (WDM) Server and HAgent contain several vulnerabilities. An attacker with network access to WDM components could execute arbitrary code on vulnerable systems.","clean_desc":"Wyse Device Manager (WDM, formerly known as Wyse Rapport) manages thin clients. Part of the server component (HServer) is implemented as an ISAPI filter on the Microsoft Windows Internet Information Server (IIS) platform. The client component (HAgent) runs as a service on Microsoft Windows systems. WDM components contain several vulnerabilities: HServer (hserver.dll) User-Agent header stack buffer overflow and\nHAgent (hagent.exe) heap overflow (both overflows are CVE-2009-0693)\nHAgent does not authenticate commands (CVE-2009-0695)\nThe first two issues are implementation defects. The third issue is caused by the lack of adequate cryptographic authentication and authorization.","impact":"An attacker with network access to WDM components could execute arbitrary code on a vulnerable system. The attacker could also execute unauthenticated management commands on a system running HAgent.","resolution":"Please see Wyse Security Bulletin WSB09-01.","workarounds":"Enable HTTPS Enabling HTTPS provides authentication between Hserver and HAgent nodes. HTTPS authenticates communication from an HServer host to an HAgent host. Depending on key distribution and PKI architecture, HTTPS should prevent an unauthenticated attacker from running management commands on an HAgent host.","sysaffected":"","thanks":"These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft.","author":"This document was written by Art Manion.","public":["http://osvdb.org/show/osvdb/55808","http://www.wyse.com/serviceandsupport/support/WSB09-01.zip","http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf","http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/","http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html"],"cveids":["CVE-2009-0693","CVE-2009-0695"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2009-05-20T22:11:24Z","publicdate":"2009-07-10T00:00:00Z","datefirstpublished":"2009-10-13T22:03:03Z","dateupdated":"2009-10-16T04:27:42Z","revision":24,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"4","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"7","cam_population":"10","cam_impact":"18","cam_easeofexploitation":"13","cam_attackeraccessrequired":"14","cam_scorecurrent":"13.5135","cam_scorecurrentwidelyknown":"16.58475","cam_scorecurrentwidelyknownexploited":"28.86975","ipprotocol":"tcp","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":13.5135,"vulnote":null}