[NEWS] Red-M Red-Alert Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 02/12/04

  • Next message: SecuriTeam: "[UNIX] PHPX Web Portal Multiple Vulnerabilities"
    To: list@securiteam.com
    Date: 12 Feb 2004 11:59:31 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Red-M Red-Alert Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.red-m.com/Products/Default.asp#alert> Red-Alert "Monitors
    Bluetooth and 802.11b wireless activity around the clock to detect
    security risks".

    Several vulnerabilities have been found in the Red-Alert probe. As a
    result, the probe could be reset or accessed by unauthorized users.

    DETAILS

    Vulnerable Systems:
     * Red-Alert with hardware version 2.7.5, software version 3.1 build 24

    Probe Reset
    Any unauthenticated user can remotely reboot the Red-Alert appliance
    through a malformed request to the web server. When a browser request is
    longer than approximately 1230 bytes, the appliance reboots. Consequently,
    all information is lost. Anything sent to the device's TCP port 80 longer
    than approx. 1230 bytes reboots it, whether it's a valid request or not.
    In order to test the vulnerability, issue the following request:

    $ perl -e 'print "a"x1230 . "\r\n\r\n"| nc < device ip> 80

    Probe Administration Authentication
    The authentication of the probe administrator is bound to the user's IP
    address. If multiple users are behind NAT or a proxy, any of those users
    can access the administration GUI without restrictions after
    authentication was successful by the admin. The authentication does, in
    fact, expire after a few minutes of inactivity. However, since the events
    popup page auto-refreshes itself the session will potentially never
    expire.

    Incorrect Identification Of Wireless Network With SSID Containing Multiple
    Spaces
    If there are wireless networks detected by the probe with an SSID
    containing multiple space (0x20) characters, the probe fails to correctly
    identify them. For example, if a network has the SSID " ", the probe
    will detect it as " "(single space character). Any sequence of multiple
    space characters in any substring of the SSID are represented as one
    single space character, which causes identification to fail.

    Vendor Status:
    The vendor has released a new frimware version.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:morisson@genhex.org> Bruno
    Morisson.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] PHPX Web Portal Multiple Vulnerabilities"