PROBLEM:
Attachmate Reflection Buffer Overflow in FTP Client Lets Remote Servers Execute Arbitrary Code.
PLATFORM:
14.1.1173 and prior versions
The following product versions are affected:
Reflection for HP version 14.x
Reflection for UNIX and OpenVMS version 14.x
Reflection for ReGIS Graphics version 14.x
Reflection for IBM version 14.x
Reflection X version 14.x
ABSTRACT:
A remote server can execute arbitrary code on the connected target system.
reference LINKS:
Security Updates and Reflection
Attachmate Support Lifecycle
Attachmate Downloads
SecurityTracker Alert ID: 1026340
IMPACT ASSESSMENT:
Medium
Discussion:
A vulnerability was reported in Attachmate Reflection. A remote user can execute arbitrary code on the target system. A remote server can return a specially crafted directory name in response to an FTP LIST command to trigger a heap overflow and execute arbitrary code on the connected target client. The code will run with the privileges of the target client.
Impact:
A remote server can execute arbitrary code on the connected target system.
Solution:
The issue will be resolved in the next major release or service pack. Maintained customers can contact Attachmate Technical Support to request the hotfix appropriate for their environment: 14.1.1.206 or higher (32- or 64-bit), which can be applied to Reflection 14.1 SP1:
Attachmate Download Library