Multiple vulnerabilities in IP3 Networks 'NetAccess' NA75 appliance

Risk: High
Local: Yes
Remote: Yes

-------------------- Multiple vulnerabilities have been identified in IP3 Networks 'NetAccess' NA75 appliance. -------------------- KPMG recommends that owners of a NetAccess NA75 take steps to ensure the security of the device, and that IP3 Networks is contacted to acquire the new firmware that includes the patches for the issues described. IP3 Networks has requested that customers contact IP3 through Product: NA75 and possibly others Revision: na-img-4.0.34.bin Vendor Status: notified, verified and patch available from 1 April 2006 Risk: High Remote: Yes Local: Yes --------------------- ISSUE 1: Various SQL injection vulnerabilities in the HTTP user interface Due to the absence of user input validation, attackers can embed SQL commands and queries into various HTTP forms. The impact of this is that attackers can login into the unit by specifying username 'admin' and password ' OR "1=1';--. This issue has been described in in 2004, and was reportedly fixed by IP3 in firmware 3.1.18b13. However, as can be seen from the above info, we have found the vulnerability to be present in firmware 4.0.34. ISSUE 2: Unix command injection vulnerability in command line interface Due to the absence of user input filtering in the command line interface, attackers can embed Unix commands in certain parameters by passing the commands in the unix shell substitution characters '`'. ISSUE 3: No mandatory default password change on first login The default username and password 'admin'/'admin' do not have to be changed at first login. This greatly increases the chance of the password remaining 'admin' after install. ISSUE 4: World readable shadow password file The shadow password file contains the encrypted passwords for all users on the system. Password crackers can be used on this file to obtain the plaintext passwords for users. ISSUE 5: NetAccess database file world readable and writable The permission settings on the NetAccess database file allow all unix users read and write access to the file, thereby allowing potentially sensitive customer information to be disclosed. Ralph Moonen, CISSP Manager KPMG Information Risk Management Amstelveen, The Netherlands ------------------------------------------------------------------------ -------------------------------------------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht. KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur. Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure. KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code. ------------------------------------------------------------------------ --------------------------------------------------------------------

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top