fujitsu-primergy-disclose.txt

`Advisory: Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information  
Disclosure  
  
RedTeam Pentesting discovered an information disclosure in the Fujitsu-  
Siemens BX300 Switch Blade during a penetration test. By accessing URLs  
of the web interface directly and aborting the authentication dialog,  
one is able to access the restricted management interface without proper  
authentication, having read-only access.  
  
  
Details  
=======  
  
Product: Fujitsu Siemens Computers PRIMERGY BX300 Switch Blade  
Affected Versions: All  
Fixed Versions: None  
Vulnerability Type: Information Disclosure  
Security-Risk: medium  
Vendor-URL:   
http://www.fujitsu.com/global/services/computing/server/ia/bladeserver/  
Vendor-Status: informed, decided not to fix  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-003.php  
Advisory-Status: public  
CVE: CVE-2007-3012  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3012  
  
  
Introduction  
============  
  
"Packing the punch of 300 compute nodes in a single 19-inch rack  
  
With up to 20 blades in a three-unit rack space, the PRIMERGY BX300  
delivers previously unimaginable performance, dependability and  
flexibility. Every blade corresponds to a compute node complete with  
main memory, hard disks and network interface. The PRIMERGY BX300 is  
thus ideal for front-end enterprise applications such as terminal  
servers, network or caching systems."  
  
(from the vendor's homepage)  
  
  
More Details  
============  
  
The web interface of the Switch Blade which is accessible per HTTP, will  
by default ask for authentication by HTTP Auth. If the authentication  
dialog gets cancelled in the browser, an empty page will be shown.  
  
The HTML code of this empty page reveals some hyperlinks to subpages of  
the web interface. If those get accessed directly in the browser, the  
authentication dialog shows up again. But after clicking "Cancel", the  
page will be shown regardless of the cancelled authentication and the  
data in the form fields is shown.  
  
It is not possible to manipulate any of the data. When changing  
parameters and sending the POST request, the server answers with an  
error page. The error page contains a javascript popup telling the user  
that he does not have enough permissions.  
  
This means that an attacker is able to bypass the authentication of the  
web interface and access the information contained in the admin  
interface websites.  
  
  
Proof of Concept  
================  
  
Directly surf to one of the following URLs:  
  
https://switchblade.example.com/config/ip_management.htm  
https://swtichblade.example.com/config/snmp_config.htm  
  
Click "Cancel" to abort the authentication dialog. The frame with the  
form fields will be shown anyway.  
  
More URLs can be found by clicking "Cancel" and viewing the source code  
of the main page.  
  
  
Workaround  
==========  
  
Block access to the PRIMERGY BX300 web interface for all untrusted  
users.  
  
  
Fix  
===  
  
The vulnerability will not be fixed by the vendor, as the BX300 product  
line is discontinued.  
  
  
Security Risk  
=============  
  
The risk of this vulnerability is medium. The attacker is cannot  
manipulate the entries he sees, as the server will check if the user has  
the permissions to change any data. Being able to see the data in the  
form fields however is an information disclosure which gives the  
attacker valuable information about his targets.  
  
In case of the SNMP community strings, the attacker may be able to get  
access to the systems' SNMP functionality, as with SNMPv1 and v2, the  
community string is held secret. Only users knowing the community string  
(or users having access to the connection, as the string is sent in  
cleartext) can access the SNMP functionality. The snmp_config.htm page  
will reveal this information to the attacker.  
  
  
History  
=======  
  
2007-05-14 First contact with the responsible contact person, gets the  
advisory  
2007-05-23 Vulnerability gets confirmed by field support  
2007-05-31 On request by RedTeam Pentesting, a test system is kindly  
provided by Fujitsu-Siemens for some further tests  
2007-06-18 CVE number assigned  
2007-07-03 Vendor tells RedTeam Pentesting about the decision not to fix  
the vulnerability  
2007-07-04 Advisory released  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks or products are  
uncovered and can be fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 963-1300  
Dennewartstr. 25-27 Fax : +49 241 963-1304  
52068 Aachen http://www.redteam-pentesting.de/  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck  
`