Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance

Multiple vulnerabilities have been identified in IP3 Networks
'NetAccess' NA75 appliance.

KPMG recommends that owners of a NetAccess NA75 take steps to ensure the
security of the
device, and that IP3 Networks is contacted to acquire the new firmware
that includes the
patches for the issues described. IP3 Networks has requested that
customers contact IP3
through http://www.ip3.com/supportoverview.htm.

Product: NA75 and possibly others
Revision: na-img-4.0.34.bin
Vendor Status: notified, verified and patch available from 1 April 2006
Risk: High
Remote: Yes
Local: Yes

ISSUE 1: Various SQL injection vulnerabilities in the HTTP user
interface
Due to the absence of user input validation, attackers can embed SQL
commands and queries
into various HTTP forms. The impact of this is that attackers can login
into the unit by
specifying username 'admin' and password ' OR "1=1';–. This issue has
been described in
http://www.securityfocus.com/bid/9858 in 2004, and was reportedly fixed
by IP3 in firmware
3.1.18b13. However, as can be seen from the above info, we have found
the vulnerability to
be present in firmware 4.0.34.

ISSUE 2: Unix command injection vulnerability in command line interface
Due to the absence of user input filtering in the command line
interface, attackers can
embed Unix commands in certain parameters by passing the commands in the
unix shell
substitution characters '`'.

ISSUE 3: No mandatory default password change on first login
The default username and password 'admin'/'admin' do not have to be
changed at first
login. This greatly increases the chance of the password remaining
'admin' after install.

ISSUE 4: World readable shadow password file
The shadow password file contains the encrypted passwords for all users
on the system.
Password crackers can be used on this file to obtain the plaintext
passwords for users.

ISSUE 5: NetAccess database file world readable and writable
The permission settings on the NetAccess database file allow all unix
users read and
write access to the file, thereby allowing potentially sensitive
customer information
to be disclosed.

Ralph Moonen, CISSP
Manager KPMG Information Risk Management
Amstelveen, The Netherlands

De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht.
KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur.

Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure.
KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code.