Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-128: Adobe Flash Media Server Unspecified RPC Call Privilege Escalation Vulnerability

[CVE-2009-1365]

May 8, 2009 12:00 GMT
PROBLEM: Adobe Flash Media Server is prone to a vulnerability that allows attackers to gain elevated privileges via an unspecified RPC (Remote Procedures Call) issue.
PLATFORM: Adobe Flash Media Streaming Server 3.5.1 Adobe Flash Media Server 3.5.1 Adobe Flash Media Server 3.0.3 Adobe Flash Media Server 2.0.5 Adobe Flash Media Server 2.0.4 Adobe Flash Media Server 2.0.3 Adobe Flash Media Server 2.0.2 Adobe Flash Media Server 2.0.1 Adobe Flash Media Server 2.0 Adobe Flash Media Server 3.0 Adobe Flash Media Interactive Server 3.5.1
ABSTRACT: Unspecified vulnerability in Adobe Flash Media Server (FMS) before 3.0.4 and 3.5.x before 3.5.2, as used in Flash Media Interactive Server and Flash Media Streaming Server, allows remote attackers to execute arbitrary remote procedures within an ActionScript file on the server via RPC requests.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-128.shtml
  OTHER LINKS: Adobe
http://www.adobe.com/support/security/bulletins/apsb09-05.html
Security Focus
http://www.securityfocus.com/bid/34790
CVE: CVE-2009-1365
IMPACT ASSESSMENT This risk is low. This allows unauthorized disclosure of information, unauthorized modification and disruption of service. 
[***** Start CVE-2009-1365 *****]
Discussion:
A potential vulnerability has been identified in Flash Media Server 3.5.1 and earlier that could allow an attacker to
execute remote procedures in Flash Media Interactive Server or Flash Media Streaming Server. Adobe recommends users update
to the most current version of Flash Media Server (3.5.2 or 3.0.4 or greater)

Affected Software Versions:
Adobe Flash Media Streaming Server 3.5.1
Adobe Flash Media Server 3.5.1
Adobe Flash Media Server 3.0.3
Adobe Flash Media Server 2.0.5
Adobe Flash Media Server 2.0.4
Adobe Flash Media Server 2.0.3
Adobe Flash Media Server 2.0.2
Adobe Flash Media Server 2.0.1
Adobe Flash Media Server 2.0
Adobe Flash Media Server 3.0
Adobe Flash Media Interactive Server 3.5.1

Solution:
The vendor has released an advisory and updates.  See references listed below:

Adobe Flash Media Streaming Server 3.5.1

    * Adobe FlashMediaServer3.5.exe
      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Wind ows/FlashMediaServer3.5.exe


    * Adobe FlashMediaServer3.5.tar.gz
      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Linu x/FlashMediaServer3.5.tar.gz



Adobe Flash Media Interactive Server 3.5.1

    * Adobe FlashMediaServer3.5.exe
      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Wind ows/FlashMediaServer3.5.exe


    * Adobe FlashMediaServer3.5.tar.gz
      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Linu x/FlashMediaServer3.5.tar.gz



Adobe Flash Media Server 3.5.1

    * Adobe FlashMediaServer3.5.exe

      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Wind ows/FlashMediaServer3.5.exe


    * Adobe FlashMediaServer3.5.tar.gz
      http://download.macromedia.com/pub/flashmediaserver/updates/3_5_2/Linu x/FlashMediaServer3.5.tar.gz

[***** End CVE-2009-1365 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788