Cyclades AlterPath Manager Arbitrary Console Connection

Product:
AlterPath Manager (APM) Console Server

Released:
01/23/2005

Description:
AlterPath Manager (APM) allows any connected user to access any console, ignoring access restrictions connected to the AlterPath.

Systems Affected:
AlterPath Manager 1.1.0
AlterPath Manager 1.2.1 and 1.2.0 partially affected

Technical Description:
Access restrictions in the APM prevent users from seeing consoles they are not allowed to connect to. However, this can be bypassed by simply specifying any
console's name in the consoleConnect.jsp URL. Once the URL is changed and loaded, the user will be taken directly to the console.

Example (substitute "console_name" with the real name of a console defined in the APM):

  • /usermode/consoleConnect.jsp?consolename=console_name

    Note: In versions 1.2.0 and 1.2.1 of the APM, the user must have at one time been authorized to access the console, and have actually connected to it via the web interface. If the user's access to that console is removed, they are still able to access the console via URL modification.

    Fix/Workaround:
    This issue was partially corrected in APM release 1.2.0 (see Technical Note above). A patch for APM v1.2.1 is available at ftp://ftp.cyclades.com/pub/cyclades/alterpath/e2000/released/V_1.2.1/pat...

    Vendor Status:

    • Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
    • Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
    • Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
    • Released on 2/23/2005.
    • Cyclades responded on 2/25/2005 to clear up version information, provide information on v1.2.1 for this vulnerability, and notify of patch release.

    Contacts:
    sullo@cirt.net

    References:
    Updated information can be found on OSVDB.org under the following entries:

    OSVDB-14075 Cyclades AlterPath Manager consoleConnect.jsp Arbitrary Console Connection

    Updates:

  • Advisory listed 1.2.0 and 1.2.1 as vulnerable, which was incorrect. This was fixed partially as of APM version 1.2.0. Added tech note describing the circumstances.
  • Added APM patch information.
  • Vulnerabilities: