Multiple vendor 3rd party tool for the iSeries AS/400 FTP server security bypass

multiple-vendor-security-bypass (20260) The risk level is classified as HighHigh Risk

Description:

Multiple 3rd party applications used to secure the iSeries AS/400 FTP server could allow a remote attacker to bypass security restrictions, caused by a vulnerability in the verification of the requested path with a FTP transaction. A remote attacker could use this vulnerability to bypass security restrictions and gain unauthorized access to files and resources on the system.

Platforms Affected:

  • Bsafe Information Systems, Bsafe/Global Security
  • IBM, OS 400
  • NetIQ, NetIQ PSSecure
  • NetIQ, NetIQ Security Manager 4.x
  • PowerTech Group, PowerLock NetworkSecurity
  • Raz-Lee, Raz-Lee Firewall plus plus plus
  • SafeStone Technologies, SafeStone DetectIT
  • Secure/Net, Secure/Net

Remedy:

For Raz-Lee Firewall +++:
Upgrade to the latest version of Raz-Lee Firewall (11.1 or later), available from the Raz-Lee Web site. See References.

For Secure/Net:
Upgrade to the latest version of SECURE/NET (2 or later), available from the Secure/Net Home Web site. See References.

For PowerLock NetworkSecurity:
Upgrade to the latest version of PowerLock NetworkSecurity, available from the PowerTech Group Web site. See References.

For NetIQ PSSecure:
No remedy available as of July 2007.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

  • Canonicalization problems in iSeries FTP security, Insufficient default FTP access control at http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf.
  • Castlehill Computer Services Ltd. Web site, Products and Services, Secure/Net at http://mailgate.ccs400.com/xpr008.asp.
  • NetIQ Security Manager Web site, NETIQ SECURITY MANAGER at http://www.netiq.com/products/sm/default.asp.
  • Raz-Lee Web site, Raz-Lee Products, Security +++, Firewall === at http://www.razlee.com/products/product_data_sheet.php?a_field=Security&a_product=Firewall.
  • BID-13310: Raz-Lee Security+++ Suite Input Validation Vulnerability
  • BID-13311: Palace Guard Software Secure/NET+ Input Validation Vulnerability
  • BID-13312: PowerTech PowerLock Input Validation Vulnerability
  • CVE-2005-1238: By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request.
  • CVE-2005-1239: Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
  • CVE-2005-1240: Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
  • CVE-2005-1241: Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
  • CVE-2005-1242: Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
  • CVE-2005-1243: Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
  • CVE-2005-1244: ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request. NOTE: the vendor has disputed this issue, saying that neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable.
  • OSVDB ID: 15791: NetIQ Security Manager Traversal File Restriction Bypass
  • SECTRACK ID: 1013810: NetIQ PSSecure May Let Remote Users Bypass AS/400 FTP Access Controls

Reported:

Apr 25, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page