this is another bug I encountered during my research on console servers.
Summary: Port Access Control Bypass Vulnerability on MRVs In-Reach console servers.
Details: MRV's In-Reach console servers come with feature that enables access to their ports by ssh public keys. As opposed to e.g. standard password based authentication it's not checked whether the user is allow to access this port (note: on modern console servers you can set port permissions on user basis). Research showed that port-based restrictions were nullified which means that every user can access consoles of every device hooked up if they were set up by the administrative account of the console server to use ssh public key authentication.
Vulnerable Versions: Tested on "Software Version 3.5.0", tested on InReach LX-8000, 4000 and 1000 series.
Patches/Workarounds: Vendor has released 3.5.1 which according to vendors information should fix the issue (Rel-Notes of 3.5.1 and 126.96.36.199 however don't mention it). For more info see http://service.mrv.com/support/index.cfm
Alternatively administrators on MRV In-Reach console servers should not allow users using ssh public key based authentication.
Exploit: Design Flaw, exploit not needed.
-- Dr. Dirk Wetter http://drwetter.org Consulting IT-Security + Open Source Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153