Vulnerability Note VU#654545

Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities

Original Release date: 13 Oct 2009 | Last revised: 16 Oct 2009


Wyse Device Manager (WDM) Server and HAgent contain several vulnerabilities. An attacker with network access to WDM components could execute arbitrary code on vulnerable systems.


Wyse Device Manager (WDM, formerly known as Wyse Rapport) manages thin clients. Part of the server component (HServer) is implemented as an ISAPI filter on the Microsoft Windows Internet Information Server (IIS) platform. The client component (HAgent) runs as a service on Microsoft Windows systems.

WDM components contain several vulnerabilities:

  1. HServer (hserver.dll) User-Agent header stack buffer overflow and
  2. HAgent (hagent.exe) heap overflow (both overflows are CVE-2009-0693)
  3. HAgent does not authenticate commands (CVE-2009-0695)
The first two issues are implementation defects. The third issue is caused by the lack of adequate cryptographic authentication and authorization.


An attacker with network access to WDM components could execute arbitrary code on a vulnerable system. The attacker could also execute unauthenticated management commands on a system running HAgent.


Please see Wyse Security Bulletin WSB09-01.

Enable HTTPS

Enabling HTTPS provides authentication between Hserver and HAgent nodes. HTTPS authenticates communication from an HServer host to an HAgent host. Depending on key distribution and PKI architecture, HTTPS should prevent an unauthenticated attacker from running management commands on an HAgent host.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
WyseAffected04 Jul 200923 Jul 2009
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft.

This document was written by Art Manion.

Other Information

  • CVE IDs: CVE-2009-0693 CVE-2009-0695
  • Date Public: 10 Jul 2009
  • Date First Published: 13 Oct 2009
  • Date Last Updated: 16 Oct 2009
  • Severity Metric: 13.51
  • Document Revision: 23


If you have feedback, comments, or additional information about this vulnerability, please send us email.