MRV In-Reach console server: Port Access Control Bypass Vulnerability

2005-07-19T00:00:00
ID SECURITYVULNS:DOC:9227
Type securityvulns
Reporter Securityvulns
Modified 2005-07-19T00:00:00

Description

Hi,

this is another bug I encountered during my research on console servers.

Summary: Port Access Control Bypass Vulnerability on MRVs In-Reach console servers.

Details: MRV's In-Reach console servers come with feature that enables access to their ports by ssh public keys. As opposed to e.g. standard password based authentication it's not checked whether the user is allow to access this port (note: on modern console servers you can set port permissions on user basis). Research showed that port-based restrictions were nullified which means that every user can access consoles of every device hooked up if they were set up by the administrative account of the console server to use ssh public key authentication.

Vulnerable Versions: Tested on "Software Version 3.5.0", tested on InReach LX-8000, 4000 and 1000 series.

Patches/Workarounds: Vendor has released 3.5.1 which according to vendors information should fix the issue (Rel-Notes of 3.5.1 and 3.5.0.1 however don't mention it). For more info see http://service.mrv.com/support/index.cfm

Alternatively administrators on MRV In-Reach console servers should not allow users using ssh public key based authentication.

Exploit: Design Flaw, exploit not needed.

Cheers, Dirk

-- Dr. Dirk Wetter http://drwetter.org Consulting IT-Security + Open Source Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153