Vulnerability Note VU#229047
Allround Automations PL/SQL Developer v11 performs updates over HTTP
Original Release date: 25 Apr 2016 | Last revised: 25 Apr 2016
Allround Automations PL/SQL Developer version 11 checks for updates over HTTP and does not verify updates before executing commands, which may allow an attacker to execute arbitrary code.
CWE-345: Insufficient Verification of Data Authenticity – CVE-2016-2346
According to the researcher, Allround Automations PL/SQL Developer version 11 periodically checks for updates over HTTP. When an update is available, PL/SQL Developer downloads the update and executes the update without verifying authenticity or performing other checks.
By intercepting such requests and modifying the necessary fields, an attacker with a man-in-the-middle position between the victim and the network may be able write arbitrary data to vulnerable devices and execute arbitrary code with permissions of the PL/SQL Developer user.
A remote attacker with a man-in-the-middle position may able to execute code with permissions of the PL/SQL Developer user.
Apply an update
PL/SQL Developer version 11.0.6 has been released to address this issue.
The update utility now uses HTTPS and restricts downloads to the allroundautomations.com domain.
Affected users may also consider the following workaround:
Avoid untrusted networks
Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a man-in-the-middle attack that could intercept your HTTP data.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedAllround AutomationsAffected15 Mar 201625 Apr 2016If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Adam Caudill for reporting this vulnerability.
This document was written by Garret Wassermann.
29 Apr 2016
Date First Published:
25 Apr 2016
Date Last Updated:
25 Apr 2016
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.