[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access
From: security () bluecatnetworks ! com
Date: 2007-08-09 21:01:01
Message-ID: 20070809210101.19962.qmail () securityfocus ! com
[Download RAW message or body]
BlueCat Networks acknowledges the existence of this issue and our testing confirms \
that this can allow a Proteus Administrator to write arbitrary data using TFTP to an \
Adonis system and potentially damage or compromise it.
This issue is the result of data validation errors in Proteus with respect to TFTP \
and can only be exploited by users with administrative privileges to the Proteus \
Admin Interface and sufficient access rights. Without authenticated access to the \
Proteus Admin Interface, this vulnerability cannot be exploited, and we therefore \
consider it a minor security issue. BlueCat Networks will be fixing this issue in an \
update to Proteus that will be made available shortly.
To prevent exploitation of this issue, BlueCat Networks recommends that customers \
restrict access to the TFTP services on Proteus through the Access Rights menu. This \
can be done at two levels within the product:
1. At a configuration level – by changing the access for TFTP Objects within the \
configuration (TFTP File, TFTP Folder and TFTP Group) to Hide or View privileges. \
2. At the TFTP Group level – by changing the access for TFTP Objects within the group \
(TFTP File and TFTP Folder) to Hide or View privileges.
Kindest regards,
BlueCat Networks Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic