Potential Buffer Overrun Vulnerabilities in Helix Universal Server 9.0
Updated December 19, 2002
Versions of the Helix Universal Server 9.0 contain three potential buffer overrun vulnerabilities that occur when:
- A flood of invalid data is forwarded to the Server via the RTSP
SETUP transport header
- An invalid and very long URL is read from the Server's registry
via a custom logging template
- Two invalid HTTP GET requests containing very large paths simultaneously arrive on two connections.
The only RealNetworks Server product impacted by these potential security vulnerabilities is the Helix Universal Server version 9.0 (version 220.127.116.118). The Helix Universal Proxy and prior RealSystem Server and Proxy software are not affected.
- Helix Universal Server 9.0
Although at the time of this update, RealNetworks has received no reports that this vulnerability has been exploited in the field; we have made a security update available to all current Server customers.
Upgrade to Helix Universal Server 9.01 (18.104.22.1684).
On December 19, 2002 RealNetworks publicly released new Server installation binaries that contain remedies to all of the identified potential buffer overrun vulnerabilities. Server 9.0 customers are encouraged to upgrade to the 9.01 version of the Helix Universal Server for protection against these vulnerabilities. This upgrade requires a new installation. To perform the upgrade, download the self-extracting installation binary and follow the prompts. Any previously provided and current (non-expired) 9.0x product license will enable this upgrade.
All actively supported Helix Universal Server platforms are available:
Platform and configuration support details are available at http://www.realnetworks.com/resources/contentdelivery/server/recommended_platforms.html.
These vulnerabilities were identified and reported to RealNetworks by Mark Litchfield, NGS Software Ltd.
While RealNetworks endeavors to provide you with the highest quality products and services, we cannot guarantee and do not warrant that the operation of any RealNetworks product will be error-free, uninterrupted or secure. See your original license agreement for details of our limited warranty or warranty disclaimer.