search menu icon-carat-right cmu-wordmark

CERT Coordination Center

AT&T Connect Participant Application for Windows v9.5.35 contains a stack-based buffer overflow vulnerability

Vulnerability Note VU#346278

Original Release Date: 2013-12-03 | Last Revised: 2013-12-03

Overview

AT&T Connect Participant Application for Windows v9.5.35 and possibly earlier versions contain a stack-based buffer overflow (CWE-121) vulnerability.

Description

CWE-121: Stack-based Buffer Overflow

AT&T Connect Participant Application for Windows v9.5.35 and possibly earlier versions contain a stack-based buffer overflow vulnerability. AT&T Connect allows a user to join a web conference via a web browser. When joining a conference, AT&T provides the .SVT file for the user to open. Upon opening the file, the user is able to join the conference.

An attacker can send a malformed .SVT file to a victim which can allow the attacker to run arbitrary code in the context of the logged in user.

Impact

A remote unauthenticated attacker that is able to trick a user into opening a malicious .SVT file may be able to obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the application.

Solution

Apply an Update

AT&T has released Connect Participant Application for Windows v.9.5.51 to address this vulnerability. Affected users are advised to upgrade.

Vendor Information

346278
 
Affected   Unknown   Unaffected

AT&T

Notified:  September 12, 2013 Updated:  November 04, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 8.3 AV:N/AC:M/Au:N/C:P/I:P/A:C
Temporal 6.5 E:POC/RL:OF/RC:C
Environmental 1.6 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Christopher Gabriel of Telos Corporation for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: CVE-2013-6029
Date Public: 2013-11-12
Date First Published: 2013-12-03
Date Last Updated: 2013-12-03 19:19 UTC
Document Revision: 30

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.