3422 Old Capitol Trail – Suite 1125, Wilmington – DE 19808, United States

Cybele Software, Inc. Security Bulletin

Thinfinity Remote Desktop Workstation vulnerability: Summary

Thinfinity Remote Desktop Workstation v3.0.0.3 includes the following vulnerability:

A generic directory traversal flaw was found. After testing both Thinfinity Remote Desktop Workstation version 3.0.0.0 and version 3.0.0.3, the flaw is only present in the later version.

Successful exploitation of this vulnerability could result in the possibility of downloading a file off the remote Windows host (i.e. via the default port 8081 or whichever other port it is configured to use). The flaw was present whether or not “File Transfer” was enabled -regardless of the security mode in use (i.e. None, Digest or Windows Logon).

Note: This vulnerability does not affect Thinfinity Remote Desktop Server.

We thank Matt Byrne, from Perspective Risk for identifying this issue.

 

Software Versions and Fixes

Cybele Software has released a free software update (v3.0.0.4) that addresses this vulnerability. The update is available at the following links:

32-bit: http://www.cybelesoft.com/downloads/Thinfinity_Remote_Desktop_Workstation_Setup_x86.exe

64-bit: http://www.cybelesoft.com/downloads/Thinfinity_Remote_Desktop_Workstation_Setup_x64.exe

Make sure to uninstall the previous version before installing the new one.

 

Policy Statement on Information Provided in Patch Updates and Security Alerts

When Cybele Software publishes a Security Bulletin, the company intends to provide vulnerability information in a socially responsible way. Cybele Software does not intend to issue vulnerability details that could enable someone to craft an exploit.

As a matter of policy, Cybele Software will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Patch Update or Security Alert notification, the readme files, and FAQs. Cybele Software provides all customers with the same information in order to protect all customers equally. Cybele Software will not provide advance notification or “insider information” on Patch Update or Security Alerts to individual customers.

If you have any questions, you can reach us at security@cybelesoft.com.

Related Posts

Comments (3)

Hi,
Please provide 32-bit version of Remote Desktop Workstation fix v3.0.0.4
Currently both links are 64bit version….. 🙁

Thanks & Regards
Eugen

Thanks for the message, Eugen.
The links are fixed now!
I apologize for the inconvenience.
Regards,
Mauro

Leave a comment