<<< Date Index >>>     <<< Thread Index >>>

Re: TS-2007-003-0: BlueCat Networks Adonis CLI root privilege escalation



BlueCat Networks is aware of this situation involving the CLI (known as the 
Adonis Administration Console) that can give an admin user unauthorized root 
privileges on the system.

This situation may only arise if an administrator has admin login capabilities 
to the CLI whether through SSH access or direct access to the system ? i.e. 
monitor and keyboard.  

Please note that this situation is only possible if someone has both  access to 
the system and the admin password.   In most customer environments such access 
should be highly restricted to trusted personnel.  Commonly, those trusted  
personnel have access to the system with both the admin and the root passwords, 
which will give them root access regardless.  

We would like to note that the Proteus IPAM appliance is not affected by this 
issue


We are currently investigating this issue with the intention of amending the 
product to diminish the likelihood of this occurring.  A patch should be 
available shortly.  In the meantime, we are recommending that customers do all 
of the following:

1.      Check administrative access ? make sure that only trustworthy people 
are chosen as  administrators, so that only they will have access to the 
system, and will not abuse it.  

2.      Change passwords if necessary and distribute new passwords only to 
valid trusted admins.  

3.      Disable SSH remote access to the Adonis system ? this will prevent 
users from accessing the system remotely requiring direct access to the Adonis 
system for CLI access.

4.      Ensure that the Adonis system is physically secured ? this will prevent 
unauthorized users from accessing the CLI.


Kindest regards,
BlueCat Networks Security