lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 20 Aug 2007 19:23:47 -0000
From: security@...ecatnetworks.com
To: bugtraq@...urityfocus.com
Subject: Re: TS-2007-003-0: BlueCat Networks Adonis CLI root privilege
 escalation

BlueCat Networks is aware of this situation involving the CLI (known as the Adonis Administration Console) that can give an admin user unauthorized root privileges on the system.

This situation may only arise if an administrator has admin login capabilities to the CLI whether through SSH access or direct access to the system – i.e. monitor and keyboard.  

Please note that this situation is only possible if someone has both  access to the system and the admin password.   In most customer environments such access should be highly restricted to trusted personnel.  Commonly, those trusted  personnel have access to the system with both the admin and the root passwords, which will give them root access regardless.  

We would like to note that the Proteus IPAM appliance is not affected by this issue


We are currently investigating this issue with the intention of amending the product to diminish the likelihood of this occurring.  A patch should be available shortly.  In the meantime, we are recommending that customers do all of the following:

1.	Check administrative access – make sure that only trustworthy people are chosen as  administrators, so that only they will have access to the system, and will not abuse it.  

2.	Change passwords if necessary and distribute new passwords only to valid trusted admins.  

3.	Disable SSH remote access to the Adonis system – this will prevent users from accessing the system remotely requiring direct access to the Adonis system for CLI access.

4.	Ensure that the Adonis system is physically secured – this will prevent unauthorized users from accessing the CLI.


Kindest regards,
BlueCat Networks Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ