Eric Detoisien

**Name of the Vulnerable Software and Affected Versions** Citrix Presentation Server versions 4.5 and earlier Citrix Access Essentials versions 2.0 and earlier Citrix Desktop Server version 1.0 **Description** The issue is related to a buffer overflow in the Independent Management Architecture (IMA) service. This allows remote attackers to execute arbitrary code by sending a packet with an invalid size value to TCP port 2512 or 2513. **Recommendations** For Citrix Presentation Server versions 4.5 and earlier, update to a version that fixes this issue. For Citrix Access Essentials versions 2.0 and earlier, update to a version that fixes this issue. For Citrix Desktop Server version 1.0, update to a version that fixes this issue.

**Name of the Vulnerable Software and Affected Versions** Trend Micro ServerProtect version 5.58 for Windows, before Security Patch 4 **Description** The issue allows remote attackers to obtain full file system access and execute arbitrary code due to the exposure of unspecified dangerous sub-functions from StRpcSrv.dll in the DCE/RPC interface. **Recommendations** For Trend Micro ServerProtect version 5.58 for Windows, before Security Patch 4, apply Security Patch 4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Autonomy KeyView Viewer, Filter, and Export SDK versions prior to 9.2.0.12 ActivePDF DocConverter versions prior to 9.2.0.12 IBM Lotus Notes versions prior to 7.0.3 Symantec Mail Security versions prior to 9.2.0.12 **Description** The issue allows remote attackers to execute arbitrary code via crafted files, including AG files to `kpagrdr.dll`, AW files to `awsr.dll`, DLL or EXE files to `exesr.dll`, DOC files to `mwsr.dll`, MIF files to `mifsr.dll`, SAM files to `lasr.dll`, or RTF files to `rtfsr.dll`. **Recommendations** For Autonomy KeyView Viewer, Filter, and Export SDK versions prior to 9.2.0.12, update to version 9.2.0.12 or later. For ActivePDF DocConverter versions prior to 9.2.0.12, update to version 9.2.0.12 or later. For IBM Lotus Notes versions prior to 7.0.3, update to version 7.0.3 or later. For Symantec Mail Security versions prior to 9.2.0.12, update to version 9.2.0.12 or later.

**Name of the Vulnerable Software and Affected Versions** Trend Micro ServerProtect versions 5.58 before Security Patch 2 Build 1174 **Description** The issue involves multiple stack-based buffer overflows that allow remote attackers to execute arbitrary code via crafted data to specific TCP ports. This is achieved by triggering overflows in the `CAgRpcClient::CreateBinding` function in the AgRpcCln.dll library in SpntSvc.exe via TCP port 5168, or in EarthAgent.exe via TCP port 3628. Both issues are reachable via TmRpcSrv.dll. **Recommendations** For Trend Micro ServerProtect version 5.58 before Security Patch 2 Build 1174, apply Security Patch 2 Build 1174 to resolve the issue. As a temporary workaround, consider restricting access to TCP ports 5168 and 3628 to minimize the risk of exploitation. Avoid using the `CAgRpcClient::CreateBinding` function in the AgRpcCln.dll library until the issue is resolved. Restrict access to the TmRpcSrv.dll library to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hewlett-Packard Mercury LoadRunner Agent versions 8.0 through 8.1 Hewlett-Packard Performance Center Agent versions 8.0 through 8.1 Hewlett-Packard Monitor over Firewall version 8.1 **Description** The issue is a stack-based buffer overflow in magentproc.exe, triggered by a packet with a long `server ip name` field sent to TCP port 54345. This overflow occurs in the mchan.dll component and allows remote attackers to execute arbitrary code. **Recommendations** For Hewlett-Packard Mercury LoadRunner Agent versions 8.0 and 8.1, consider restricting access to TCP port 54345 until a patch is available. For Hewlett-Packard Performance Center Agent versions 8.0 and 8.1, avoid using the `server ip name` field in packets sent to TCP port 54345 to minimize the risk of exploitation. For Hewlett-Packard Monitor over Firewall version 8.1, as a temporary workaround, consider disabling the mchan.dll component until a patch is available.

Name of the Vulnerable Software and Affected Versions: Citrix MetaFrame XP versions 1.0 through 2.0 Citrix Presentation Server versions 3.0 through 4.0 Description: The issue is related to a heap-based buffer overflow in the `IMA SECURE DecryptData1` function within ImaSystem.dll. This allows remote attackers to execute arbitrary code by sending requests to the Independent Management Architecture (IMA) service, specifically ImaSrv.exe, with invalid size values that trigger the overflow during the decryption process. Recommendations: For Citrix MetaFrame XP versions 1.0 through 2.0, update to a version that includes a fix for the heap-based buffer overflow in the IMA SECURE DecryptData1 function. For Citrix Presentation Server versions 3.0 through 4.0, update to a version that includes a fix for the heap-based buffer overflow in the IMA SECURE DecryptData1 function. As a temporary workaround, consider restricting access to the IMA service (ImaSrv.exe) to minimize the risk of exploitation.