Multiple vendor 3rd party tool for the iSeries AS/400 FTP server security bypass
| multiple-vendor-security-bypass (20260) |  High Risk |
Description:
Multiple 3rd party applications used to secure the iSeries AS/400 FTP server could allow a remote attacker to bypass security restrictions, caused by a vulnerability in the verification of the requested path with a FTP transaction. A remote attacker could use this vulnerability to bypass security restrictions and gain unauthorized access to files and resources on the system.
*CVSS:
| Base Score: | 7 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | Partial |
| Temporal Score: | 5.2 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Bypass Security
Remedy:
For Raz-Lee's iSecurity Firewall:
Upgrade to the latest version of Raz-Lee Firewall (11.1 or later), available from the Raz-Lee Web site. See References.
For Secure/Net:
Upgrade to the latest version of SECURE/NET (2 or later), available from the Secure/Net Home Web site. See References.
For PowerLock NetworkSecurity:
Upgrade to the latest version of PowerLock NetworkSecurity, available from the PowerTech Group Web site. See References.
For NetIQ PSSecure:
No remedy available as of July 2007.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- Canonicalization problems in iSeries FTP security: Insufficient default FTP access control.
- Castlehill Computer Services Ltd. Web site: Products and Services, Secure/Net.
- NetIQ Security Manager Web site: NETIQ SECURITY MANAGER.
- Raz-Lee Web site: Raz-Lee Products, iSecurity, Firewall.
- BID-13310: Raz-Lee Security+++ Suite Input Validation Vulnerability
- BID-13311: Palace Guard Software Secure/NET+ Input Validation Vulnerability
- BID-13312: PowerTech PowerLock Input Validation Vulnerability
- CVE-2005-1238: By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request.
- CVE-2005-1239: Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
- CVE-2005-1240: Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
- CVE-2005-1241: Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
- CVE-2005-1242: Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
- CVE-2005-1243: Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request.
- CVE-2005-1244: ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via .. sequences in a GET request. NOTE: the vendor has disputed this issue, saying that neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable.
- OSVDB ID: 15791: NetIQ Security Manager Traversal File Restriction Bypass
- SECTRACK ID: 1013810: NetIQ PSSecure May Let Remote Users Bypass AS/400 FTP Access Controls
Platforms Affected:
- Bsafe Information Systems Bsafe/Global Security
- IBM OS 400
- NetIQ NetIQ PSSecure
- NetIQ NetIQ Security Manager 4.x
- PowerTech Group PowerLock NetworkSecurity
- Raz-Lee Raz-Lee Security Firewall Product
- SafeStone Technologies SafeStone DetectIT
- Secure/Net Secure/Net
Reported:
Apr 25, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.