CVE-2011-1564
published 2011-04-05CVE-2011-1564: Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
18.63%
96.9th percentile
Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via crafted (1) On_FC_MISC_FCS_MSGBROADCAST and (2) On_FC_MISC_FCS_MSGSEND packets, which trigger a heap-based buffer overflow.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realflex | realwin | <= 2.1 | — |
| realflex | realwin | — | — |
| realflex | realwin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts targeting TCP port 910 with On_FC_MISC_FCS_MSGBROADCAST or On_FC_MISC_FCS_MSGSEND packet types — these trigger integer overflow leading to heap-based buffer overflow in DATAC RealWin HMI. ↗
- →Monitor TCP port 910 for oversized or malformed packets targeting On_FC_CGETTAG_FCS_GETTELEMETRY, On_FC_CGETTAG_FCS_GETCHANNELTELEMETRY, On_FC_CGETTAG_FCS_SETTELEMETRY, and On_FC_CGETTAG_FCS_SETCHANNELTELEMETRY — these trigger a stack overflow via a ~200-byte stack buffer path construction. ↗
- →Monitor TCP port 910 for On_FC_SCRIPT_FCS_STARTPROG packets with oversized input strings — exploitation copies attacker-controlled input into a ~4KB stack buffer at function 00439620. ↗
- →For On_FC_MISC_FCS_MSGBROADCAST/MSGSEND exploitation, the attacker-supplied 32-bit size field plus 0x16 causes integer overflow in heap allocation — inspect packet size fields for values near 0xFFFFFFEA or larger. ↗
- ·No vendor patch was available at time of disclosure — affected deployments of DATAC RealWin 2.1 (Build 6.1.10.10) and earlier remain permanently exposed unless network-level controls are applied. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9fp-549g-2f87: Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2
ghsa_unreviewed·2022-05-17
CVE-2011-1564 [HIGH] GHSA-q9fp-549g-2f87: Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2
Multiple integer overflows in the HMI application in DATAC RealFlex RealWin 2.1 (Build 6.1.10.10) and earlier allow remote attackers to execute arbitrary code via crafted (1) On_FC_MISC_FCS_MSGBROADCAST and (2) On_FC_MISC_FCS_MSGSEND packets, which trigger a heap-based buffer overflow.
GHSA
JBossWS vulnerable to uncontrolled recursion
ghsa·2022-05-13·CVSS 6.5
CVE-2011-1483 [MEDIUM] CWE-400 JBossWS vulnerable to uncontrolled recursion
JBossWS vulnerable to uncontrolled recursion
DOMUtils.java in org.jboss.ws:jbossws-common does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
Red Hat
JBossWS remote Denial of Service
vendor_redhat·2011-09-15·CVSS 6.5
CVE-2011-1483 [MEDIUM] JBossWS remote Denial of Service
JBossWS remote Denial of Service
wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.
Package: Security (Red Hat JBoss BRMS 5) - Affected
Red Hat
jabberd: DoS via the XML "billion laughs attack"
vendor_redhat·2011-05-31·CVSS 6.5
CVE-2011-1755 [MEDIUM] jabberd: DoS via the XML "billion laughs attack"
jabberd: DoS via the XML "billion laughs attack"
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Statement: Vulnerable. This issue has been addressed in Red Hat Network Satellite Server v 5.4.1 via RHSA-2011:0882 https://rhn.redhat.com/errata/RHSA-2011-0882.html and in Red Hat Network Proxy Server v5.4.1 via RHSA-2011:0881 https://rhn.redhat.com/errata/RHSA-2011-0881.html. This issue is not planned
to be fixed in Red Hat Network Satellite Server versions 5.0.2, 5.1.1, 5.2.1, 5.3.0 and not planned to be fixed in Red Hat Network Proxy Server versions 5.0.
No detection rules found.
No writeups or analysis indexed.
http://aluigi.org/adv/realwin_6-adv.txthttp://secunia.com/advisories/43848http://securityreason.com/securityalert/8177http://www.exploit-db.com/exploits/17025http://www.securityfocus.com/bid/46937http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdfhttp://www.vupen.com/english/advisories/2011/0742http://aluigi.org/adv/realwin_6-adv.txthttp://secunia.com/advisories/43848http://securityreason.com/securityalert/8177http://www.exploit-db.com/exploits/17025http://www.securityfocus.com/bid/46937http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-04.pdfhttp://www.vupen.com/english/advisories/2011/0742
2011-04-05
Published