CVE-2016-1606 Information

Feb 14, 2021 cve

Description

Multiple stack-based buffer overflows in COM objects in Micro Focus Rumba 9.4.x before 9.4 HF 13960 allow remote attackers to execute arbitrary code via (1) the NetworkName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll (2) the CPName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll (3) the PrinterName property value to ProfileEditor.PrintPasteControl in ProfEdit.dll (4) the Data argument to the WriteRecords function in FTXBIFFLib.AS400FtxBIFF in FtxBIFF.dll (5) the Serialized property value to NMSECCOMPARAMSLib.SSL3 in NMSecComParams.dll (6) the UserName property value to NMSECCOMPARAMSLib.FirewallProxy in NMSecComParams.dll (7) the LUName property value to ProfileEditor.MFSNAControl in ProfEdit.dll (8) the newVal argument to the Load function in FTPSFTPLib.SFtpSession in FTPSFtp.dll or (9) a long Host field in the FTP Client.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28601.rumba-9-4-stack-buffer-overflow-vulnerabilities.aspx http://www.securityfocus.com/bid/91548 http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php https://cxsecurity.com/issue/WLB-2016050136

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: