|
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AlterPath Manager Information Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
"Cyclades' <http://www.cyclades.com/products/25/alterpath_manager>
AlterPath Manager is a consolidated Out-of-Band Infrastructure manager
that addresses the need to deploy, manage and connect to out-of-band
access devices such as serial console servers, KVM and KVM over IP
switches, intelligent power distribution units and embedded out-of-band
management agents such as IPMI processors."
Multiple vulnerabilities in AlterPath Manager have been found, they allow
a remote attacker to disclose sensitive information, access other people's
consoles and gaining of elevated privileges.
DETAILS
Vulnerable Systems:
* AlterPath Manager version 1.2.1.
Information Disclosure:
The APM web interface reveals the following information: Boot Version,
Kernel Version, Config Version, OS Version, AP Version, and Hardware
information. This information could be valuable to attackers, and is
available on the web interface on the /about.html web page without
authentication
Arbitrary Console Connection:
Access restrictions in the AlterPath Manager prevent users from accessing
consoles they are no allowed to connect to. However, this can be bypassed
by simply specifying any console's name in the consoleConnect.jsp URL.
Once the URL is changed and the page is loaded, the user will be taken
directly to the console. Substitute "console_name" with the system's
console name.
Example URL:
/usermode/consoleConnect.jsp?consolename=console_name
Privilege Escalation:
Any authorized user of the AlterPath Manager web interface can grant
themselves administrator access. When saveUser.do is called, it does not
confirm the user has access to modify their own (or other user's)
privileges. By changing the adminUser value to "true" in the save user
program's URL, the user account will be saved and granted administrative
privileges. In the URL below, replace my_id, My+name, email and other user
information as desired. Set the adminuser equal to "true" to grant
escalated privileges to the user identified by userID (userID is an
internal Cyclades identifier it can be found in certain AlterPath Manager
URLs or HTML pages).
Example URL:
/application/saveUser.
do?userId=9&password=&userName=my_id&fullName=My+name&department=
Security&location=Work&phone=555-1212&mobile=&pager=&email=test%40example.
com&status=
Enable&localPassword=true&adminUser=true&forward=&action=Save
Workaround:
The Cyclades AlterPath Manager software version 1.2.5 will address these
issues when released. For older versions, it may be possible to disable
the web interface and connect to consoles via SSH only.
Disclosure Timeline:
* 12.13.04 Vendor notification.
* 01.20.05 Vendor response.
* 02.15.05 Vendor stated they still did not have a release date.
* 02.23.05 Public release.
ADDITIONAL INFORMATION
The information has been provided by <mailto:sullo@cirt.net> Sullo.
The original article can be found at:
<http://www.cirt.net/advisories/alterpath_disclosure.shtml>
http://www.cirt.net/advisories/alterpath_disclosure.shtml
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body
to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
|
