[Full-disclosure] Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure

2007-07-04T00:00:00
ID SECURITYVULNS:DOC:17411
Type securityvulns
Reporter Securityvulns
Modified 2007-07-04T00:00:00

Description

Advisory: Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure

RedTeam Pentesting discovered an information disclosure in the Fujitsu- Siemens BX300 Switch Blade during a penetration test. By accessing URLs of the web interface directly and aborting the authentication dialog, one is able to access the restricted management interface without proper authentication, having read-only access.

Details

Product: Fujitsu Siemens Computers PRIMERGY BX300 Switch Blade Affected Versions: All Fixed Versions: None Vulnerability Type: Information Disclosure Security-Risk: medium Vendor-URL: http://www.fujitsu.com/global/services/computing/server/ia/bladeserver/ Vendor-Status: informed, decided not to fix Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2007-003.php Advisory-Status: public CVE: CVE-2007-3012 CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3012

Introduction

"Packing the punch of 300 compute nodes in a single 19-inch rack

With up to 20 blades in a three-unit rack space, the PRIMERGY BX300 delivers previously unimaginable performance, dependability and flexibility. Every blade corresponds to a compute node complete with main memory, hard disks and network interface. The PRIMERGY BX300 is thus ideal for front-end enterprise applications such as terminal servers, network or caching systems."

(from the vendor's homepage)

More Details

The web interface of the Switch Blade which is accessible per HTTP, will by default ask for authentication by HTTP Auth. If the authentication dialog gets cancelled in the browser, an empty page will be shown.

The HTML code of this empty page reveals some hyperlinks to subpages of the web interface. If those get accessed directly in the browser, the authentication dialog shows up again. But after clicking "Cancel", the page will be shown regardless of the cancelled authentication and the data in the form fields is shown.

It is not possible to manipulate any of the data. When changing parameters and sending the POST request, the server answers with an error page. The error page contains a javascript popup telling the user that he does not have enough permissions.

This means that an attacker is able to bypass the authentication of the web interface and access the information contained in the admin interface websites.

Proof of Concept

Directly surf to one of the following URLs:

https://switchblade.example.com/config/ip_management.htm https://swtichblade.example.com/config/snmp_config.htm

Click "Cancel" to abort the authentication dialog. The frame with the form fields will be shown anyway.

More URLs can be found by clicking "Cancel" and viewing the source code of the main page.

Workaround

Block access to the PRIMERGY BX300 web interface for all untrusted users.

Fix

The vulnerability will not be fixed by the vendor, as the BX300 product line is discontinued.

Security Risk

The risk of this vulnerability is medium. The attacker is cannot manipulate the entries he sees, as the server will check if the user has the permissions to change any data. Being able to see the data in the form fields however is an information disclosure which gives the attacker valuable information about his targets.

In case of the SNMP community strings, the attacker may be able to get access to the systems' SNMP functionality, as with SNMPv1 and v2, the community string is held secret. Only users knowing the community string (or users having access to the connection, as the string is sent in cleartext) can access the SNMP functionality. The snmp_config.htm page will reveal this information to the attacker.

History

2007-05-14 First contact with the responsible contact person, gets the advisory 2007-05-23 Vulnerability gets confirmed by field support 2007-05-31 On request by RedTeam Pentesting, a test system is kindly provided by Fujitsu-Siemens for some further tests 2007-06-18 CVE number assigned 2007-07-03 Vendor tells RedTeam Pentesting about the decision not to fix the vulnerability 2007-07-04 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting is offering individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at http://www.redteam-pentesting.de.

-- RedTeam Pentesting GmbH Tel.: +49 241 963-1300 Dennewartstr. 25-27 Fax : +49 241 963-1304 52068 Aachen http://www.redteam-pentesting.de/ Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen, Claus R. F. Overbeck