Back

Topic

[KB1076]Security bulletin 2020-1

Tags: Security

Security bulletin
4 years ago
By BL
Options
Print
Overview:

ARC Informatique is aware of security vulnerabilities affecting PcVue.

The affected component is the interface between the Web & Mobile back end and the web services hosted in Microsoft IIS. Vulnerabilities consist in Remote Code Execution, Denial Of Service and Information exposure.

We have been working in coordination with the security researchers who reported these vulnerabilities.

This bulletin describes the immediate security measures to prevent the malicious exploitation of these vulnerabilities. We strongly recommend that users of the affected products apply these measures.

[Rev E] Following the initial fixes released in October 2020, additional tests have uncovered more ways to exploit similar Remote Code Execution vulnerabilities.

Affected products and components:

Component Product Description

Property Server

PcVue – From version 8.10 onward

[Rev E] Additional fix in 15.1.2

Fixed in PcVue 12.0.17
[Rev E] Additional fix in 12.0.23

Fixed in PcVue 11.2.06097
[Rev E] Additional fix in 11.2.06100

A Remote Code Execution vulnerability exists due to the unsafe deserialization of messages received on the interface.

Related to CVE-2014-1806.

Property Server

PcVue – From version 12 Initial Release (12.0.7) onward

Fixed in PcVue 12.0.17

A Denial Of Service vulnerability exists due to the ability for a non-authorized user to modify information used to validate messages sent by legitimate web clients.

Property Server

PcVue – From version 12 Initial Release (12.0.7) onward

Fixed in PcVue 12.0.17

An information exposure vulnerability exists, allowing a non-authorized user to access session data of legitimate users.

Last update: August 2nd, 2021

References:

 

Download attachments: 
 

 

Created on: 05 Oct 2020 Last update: 30 May 2024