[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access
From:       security () bluecatnetworks ! com
Date:       2007-08-09 21:01:01
Message-ID: 20070809210101.19962.qmail () securityfocus ! com
[Download RAW message or body]

BlueCat Networks acknowledges the existence of this issue and our testing confirms \
that this can allow a Proteus Administrator to write arbitrary data using TFTP to an \
Adonis system and potentially damage or compromise it.

This issue is the result of data validation errors in Proteus with respect to TFTP \
and can only be exploited by users with administrative privileges to the Proteus \
Admin Interface and sufficient access rights.  Without authenticated access to the \
Proteus Admin Interface, this vulnerability cannot be exploited, and we therefore \
consider it a minor security issue.  BlueCat Networks will be fixing this issue in an \
update to Proteus that will be made available shortly.

To prevent exploitation of this issue, BlueCat Networks recommends that customers \
restrict access to the TFTP services on Proteus through the Access Rights menu.  This \
can be done at two levels within the product:

1.	At a configuration level – by changing the access for TFTP Objects within the \
configuration (TFTP File, TFTP Folder and TFTP Group) to Hide or View privileges. \
2.	At the TFTP Group level – by changing the access for TFTP Objects within the group \
(TFTP File and TFTP Folder) to Hide or View privileges.



Kindest regards,
BlueCat Networks Security


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic