Siemens Information for VU#922681

Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

From SSA-963338:

      Siemens OZW and OZS products use the UPnP network protocol for supporting specific localization functions. The 3rd party library libupnp [1] used for this protocol is vulnerable to multiple stack-based buffer overflows, as reported by CERT-CC [2]. These vulnerabilities allow DoS attacks and possibly remote code execution if the affected network ports are reachable by an attacker. Siemens plans to provide official permanent fixes with upcoming firmware updates and product replacements, and describes a temporary workaround below.

The full advisory can be found at the URL below.

Vendor References

http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-963338.pdf

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.