Qbik Wingate closes format string vulnerability
The Wingate Gateway server product from Qbik contains a vulnerability which attackers can exploit to execute remotely injected malicious code. A software update eliminates the problem.
The vulnerability affects Wingate's SMTP components. If an attacker sends unknown commands or commands in an unusual sequence to the SMTP server, the SMTP session goes into an invalid state. During logging of the error that has occurred, the software copies the user's data input with an unsafe vsprintf() request which can cause the server to crash, according to the security advisory from Harmony Security. Apparently, the results of further investigations by security service provider Secunia have shown that injected code can be executed in this manner.
The vulnerability is contained in Wingate versions 5.x and 6.x. The current version 6.2.2 eliminates the vulnerability. Administrators should install the software update immediately.
- Qbik WinGate Remote Denial of Service, security advisory from Harmony Security
- Qbik WinGate SMTP service format string security vulnerability, security advisory from Secunia
- Download of the current Wingate version