<<< Date Index >>>     <<< Thread Index >>>

Re: TS-2007-002-0: BlueCat Networks Adonis root Privilege Access



BlueCat Networks acknowledges the existence of this issue and our testing 
confirms that this can allow a Proteus Administrator to write arbitrary data 
using TFTP to an Adonis system and potentially damage or compromise it.

This issue is the result of data validation errors in Proteus with respect to 
TFTP and can only be exploited by users with administrative privileges to the 
Proteus Admin Interface and sufficient access rights.  Without authenticated 
access to the Proteus Admin Interface, this vulnerability cannot be exploited, 
and we therefore consider it a minor security issue.  BlueCat Networks will be 
fixing this issue in an update to Proteus that will be made available shortly.

To prevent exploitation of this issue, BlueCat Networks recommends that 
customers restrict access to the TFTP services on Proteus through the Access 
Rights menu.  This can be done at two levels within the product:

1.      At a configuration level ? by changing the access for TFTP Objects 
within the configuration (TFTP File, TFTP Folder and TFTP Group) to Hide or 
View privileges.
2.      At the TFTP Group level ? by changing the access for TFTP Objects 
within the group (TFTP File and TFTP Folder) to Hide or View privileges.



Kindest regards,
BlueCat Networks Security