lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070809210101.19962.qmail@securityfocus.com>
Date: 9 Aug 2007 21:01:01 -0000
From: security@...ecatnetworks.com
To: bugtraq@...urityfocus.com
Subject: Re: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access

BlueCat Networks acknowledges the existence of this issue and our testing confirms that this can allow a Proteus Administrator to write arbitrary data using TFTP to an Adonis system and potentially damage or compromise it.

This issue is the result of data validation errors in Proteus with respect to TFTP and can only be exploited by users with administrative privileges to the Proteus Admin Interface and sufficient access rights.  Without authenticated access to the Proteus Admin Interface, this vulnerability cannot be exploited, and we therefore consider it a minor security issue.  BlueCat Networks will be fixing this issue in an update to Proteus that will be made available shortly.

To prevent exploitation of this issue, BlueCat Networks recommends that customers restrict access to the TFTP services on Proteus through the Access Rights menu.  This can be done at two levels within the product:

1.	At a configuration level – by changing the access for TFTP Objects within the configuration (TFTP File, TFTP Folder and TFTP Group) to Hide or View privileges.
2.	At the TFTP Group level – by changing the access for TFTP Objects within the group (TFTP File and TFTP Folder) to Hide or View privileges.



Kindest regards,
BlueCat Networks Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ