{"vuid":"VU#976484","idnumber":"976484","name":"RealFlex RealWin buffer overflow","keywords":["DATAC","RealWin","RealFlex FC_INFOTAG/SET_CONTROL packets","SCADA","DCIL"],"overview":"RealFlex RealWin demo version contains a vulnerability in the way \"FC_INFOTAG/SET_CONTROL\" packets are processed.","clean_desc":"RealFlex RealWin is SCADA server software that includes a Human Machine Interface (HMI) componant and runs on Microsoft Windows 2000 or XP. The demo version of RealWin contains a stack overflow in the way malicious \"FC_INFOTAG/SET_CONTROL\" packets are processed. According to Reversemode: The bug is a classic stack overflow while processing a specially crafted FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from FlewWin clients which use a propietary protocol. We can exploit this flaw from remote without having valid credentials. Note that the non-demo version of RealWin has encryption protocol methods in place which calculate length of transmitted/received packets, preventing this buffer overflow.","impact":"This vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service.","resolution":"Update\nRealFlex has made a fixed version of the demo software available to address this issue. See http://www.realflex.com/download/form.php for more information.","workarounds":"Restrict Access Restrict network access to hosts that require connections to the demo version of RealWin. Do not allow access to RealWin from untrusted networks such as the internet.","sysaffected":"It appears that RealFlex (including RealWin and other produ","thanks":"This issue was reported by Ruben Santamarta of \nReversemode","author":"This document was written by Chris Taschner.","public":["http://secunia.com/advisories/32055/","http://www.realflex.com/products/realwin/realwin.php","http://www.dataconline.com/software/realwin.php","http://www.dataconline.com/profile/profile.php","http://www.realflex.com/profile/history.php","http://reversemode.com/index.php?option=com_content&task=view&id=55&Itemid=1"],"cveids":["CVE-2008-4322"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-09-26T17:21:49Z","publicdate":"2008-09-26T00:00:00Z","datefirstpublished":"2008-12-02T16:43:47Z","dateupdated":"2009-01-13T15:57:24Z","revision":16,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"7","cam_population":"1","cam_impact":"20","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"2.475","cam_scorecurrentwidelyknown":"3.0375","cam_scorecurrentwidelyknownexploited":"5.2875","ipprotocol":"","cvss_accessvector":"--","cvss_accesscomplexity":"--","cvss_authentication":null,"cvss_confidentialityimpact":"--","cvss_integrityimpact":"--","cvss_availabilityimpact":"--","cvss_exploitablity":null,"cvss_remediationlevel":"Not Defined (ND)","cvss_reportconfidence":"Not Defined (ND)","cvss_collateraldamagepotential":"Not Defined (ND)","cvss_targetdistribution":"Not Defined (ND)","cvss_securityrequirementscr":"Not Defined (ND)","cvss_securityrequirementsir":"Not Defined (ND)","cvss_securityrequirementsar":"Not Defined (ND)","cvss_basescore":"0","cvss_basevector":"AV:--/AC:--/Au:--/C:--/I:--/A:--","cvss_temporalscore":"0","cvss_environmentalscore":"0","cvss_environmentalvector":"CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND)","metric":2.475,"vulnote":null}