Ericom Security Advisories ERM-2014-610
Solutions

Ericom Security Advisories

ERM-2014-610

Ericom Access Server Patch for Stack Buffer Overflow Vulnerability

Ericom Security Advisory
ID:ERM-2014-610
Issue Date:2014-06-02
Updated On:2014-06-10
CVE Numbers:CVE-2014-3913

Summary

Access Server (a.k.a. Ericom AccessNow Server or Ericom Blaze Server) patch to fix a vulnerability that allows remote attackers to execute arbitrary code on vulnerable installations of Ericom Access Server.

Affected Versions

All versions of Blaze Server and Access Server

  • 1.x
  • 2.x
  • 3.x

Description

The vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ericom Access Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the way AccessServer32.exe handles requests for non-existent files. AccessServer32.exe performs insufficient bounds checking on user-supplied data which results in stack corruption. An attacker can exploit this condition to achieve remote code execution as SYSTEM.

Ericom would like to thank Anonymous working with HP's Zero Day Initiative for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3913 to this issue.

Solution

Ericom has released a patch to fix the security flaw that had left Access Server vulnerable to exploit.

The new version is numbered: 3.3.1.4095

All PowerTerm WebConnect, Ericom Blaze and AccessNow customers are encouraged to download and install the new Access Server version.

The new version can be downloaded at:
http://www.ericom.com/download
or
http://www.ericom.com/update.asp

FAQs

How can I tell what version of Access Server I am using?

Launch the Ericom Access Server Configuration and click the about button to see the version of Access Server that you have installed.

Do I need to upgrade the AccessNow webpages as well?

The vulnerability is server-side only, no changes have been made to the webpages, you will however need to ensure that you running version 3 webpages. It is generally good practice to upgrade the webpages in any event when upgrading the Access Server.

Is this server compatible with the older Blaze clients?

Access Server version 3.x is not compatible with older (v 2.x, 1.x) version of the Blaze client software.

I am using WebConnect. How do I upgrade the Access Server?

You will need to upgrade the Access Server on each host server. Answer as above for AccessNow web pages, these pages are located under the WebConnect folder on your WebConnect server. WebConnect customers can download the new AccessServer version from: ericom.com/download