CERT-In Vulnerability Note CIVN-2009-61
Adobe Flash Media Server RPC Call Privilege Escalation Vulnerability

Original Issue Date:May 05, 2009

Severity Rating: High

Systems Affected

• Adobe Flash Media Server 2.x
• Adobe Flash Media Server 3.x
• Adobe Flash Media Streaming Server 3.5.1
• Adobe Flash Media Interactive Server 3.5.1 and earlier
  

Overview

A vulnerability has been reported in Adobe Flash Media Server, which could allow a remote attacker to gain escalated privileges and execute arbitrary remote procedures.

Description

Adobe Flash Media Server ( FMS ) is a proprietary data and media server works with the Flash Player runtime to create media driven, multiuser Rich Internet Applications (RIA).

This vulnerability is caused due to an unspecified error in handling Remote Procedure Call (RPC) requests in Adobe Flash Media Interactive Server and Adobe Flash Media Streaming Server. A remote attacker could exploit this vulnerability via specially crafted RPC requests. Successful exploitation of this vulnerability could allow a remote attacker to gain escalated privileges and execute arbitrary procedures within an ActionScript file on the server.

Solution

Update to the most current version of Flash Media Server version 3.5.2 or later
http://www.adobe.com/support/flashmediaserver/downloads
_updaters.html

Vendor Information

Adobe
http://www.adobe.com/support/security/bulletins/apsb09-05.html

References

Adobe
http://www.adobe.com/support/security/bulletins/apsb09-05.html

SecurityFocus
http://www.securityfocus.com/bid/34790

SecurityTracker
http://securitytracker.com/alerts/2009/Apr/1022148.html

CVE Name
CVE-2009-1365

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003