n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2008.009 27-October-2008 ________________________________________________________________________ ____ Vendor: Eaton MGE office protection systems Affected Products: Network Shutdown Module version 3.10 Vulnerability: authentication bypass vulnerability and remote code execution Risk: High ________________________________________________________________________ ____ Vendor communication: 2008/08/13 initial notification of EATON MGE Office Protection Systems (MGEOPS) 2008/08/20 second notification of MGEOPS 2008/08/20 MGEOPS confirmation of receiving information 2008/08/25 receiving patch proposal from MGEOPS 2008/08/29 confirmation of proper patch, asking of release date 2008/09/02 awaiting feedback regarding release date of the patch 2008/09/18 patch and new version undergoing QA process of MGEOPS still no release date known 2008/10/07 another request regarding the release date 2008/10/21 MGEOPS informs n.runs AG about release of the new software version 2008/10/27 n.runs AG releases this advisory ________________________________________________________________________ ____ Overview: -------- EATON MGE Office Protection Systems designs and manufactures secured power products and solutions for enterprises, small business and homes. The Network Shutdown Module continuously wait for information from the Management Proxy or Management Card connected to the EATON UPS and warns administrators and users if AC power fails and proceeds with graceful system shutdown before the end of battery backup power is reached. Description: -------- Remote exploitation of an authentication bypass vulnerability could allow an attacker to execute arbitrary code. In detail, the following flaw was determined: - Custom actions can be added to the MGE frontend without authentication required (pane_actionbutton.php) - Actions can be executed (tested) without authentication required (exec_action.php) Impact: -------- This problem can lead to a remote file execution vulnerability. It can allow an attacker to add and execute custom actions. The commands to be executed are included within the added action. The vulnerability is present in MGE Network Shutdown Module software versions prior 3.10 build 13. Solution -------- EATON MGE Office Protection Systems has issued an update to correct this vulnerability. A new version of the software (version 3.20) can be found at: http://download.mgeops.com/explore/eng/network/net_sol.htm ________________________________________________________________________ Credits: Bug found by Jan Rossmann and Jan Wagner of n.runs AG. ________________________________________________________________________ References: This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php Subscribe to the n.runs newsletter by signing up to: http://www.nruns.com/newsletter_en.php ________________________________________________________________________ About n.runs: n.runs AG is a vendor-independent consulting company specialising in the areas of: IT Infrastructure, IT Security and IT Business Consulting. In 2007, n.runs expanded its core business area, which until then had been project based consulting, to include the development of high-end security solutions. Application Protection System - Anti Virus (aps-AV) is the first high-end security solution that n.runs is bringing to the market. Copyright Notice: Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security (at) nruns (dot) com [email concealed] for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.