Thinfinity Remote Desktop Workstation vulnerability: Summary
Thinfinity Remote Desktop Workstation v18.104.22.168 includes the following vulnerability:
A generic directory traversal flaw was found. After testing both Thinfinity Remote Desktop Workstation version 22.214.171.124 and version 126.96.36.199, the flaw is only present in the later version.
Successful exploitation of this vulnerability could result in the possibility of downloading a file off the remote Windows host (i.e. via the default port 8081 or whichever other port it is configured to use). The flaw was present whether or not “File Transfer” was enabled -regardless of the security mode in use (i.e. None, Digest or Windows Logon).
Note: This vulnerability does not affect Thinfinity Remote Desktop Server.
We thank Matt Byrne, from Perspective Risk for identifying this issue.
Software Versions and Fixes
Cybele Software has released a free software update (v188.8.131.52) that addresses this vulnerability. The update is available at the following links:
Make sure to uninstall the previous version before installing the new one.
Policy Statement on Information Provided in Patch Updates and Security Alerts
When Cybele Software publishes a Security Bulletin here on our blog, the company intends to provide vulnerability information in a socially responsible way. Cybele Software does not intend to issue vulnerability details that could enable someone to craft an exploit.
As a matter of policy, Cybele Software will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Patch Update or Security Alert notification, the readme files, and FAQs. Cybele Software provides all customers with the same information in order to protect all customers equally. Cybele Software will not provide advance notification or “insider information” on Patch Update or Security Alerts to individual customers.
If you have any questions, you can reach us at firstname.lastname@example.org.