Thursday, 24 July 2014

Dell ignoring critical flaws in router and server-management systems

Dell keeps quiet about router and server-management system security flaws
Dell is refusing to publicly acknowledge a flaw in a number of its products that could theoretically be used by hackers to steal control of victims' systems.
The vulnerabilities were first discovered in IBM keyboard, video and mouse (KVM) switches in May by independent security researcher Alejandro Alvarez Bravo.
Alvarez Bravo said the vulnerability – while originally found in IBM systems – is also prevalent in several other companies' products, including Dell's, in a post on the Full Disclosure forum.
"The IBM 1754 GCM family provides KVM over IP and serial console management technology in a single appliance. Versions v1.20.0.22575 and prior are vulnerable. Note that this vulnerability is also present in some Dell and probably other vendors of this rebranded KVM," he wrote.
"[The] improperly sanitised input may allow a remote authenticated attacker to perform remote code execution on the GCM KVM switch."
KVM switches let IT departments remotely manage equipment such as servers and routers.
IBM issued patches for the vulnerabilities on 14 July but Bravo told V3 that despite contacting Dell two months ago about the danger its customers face, he is yet to receive a reply from the firm.
"Dell was informed two months ago via security@dell.com but no response nor acknowledgement has been received. Unfortunately I don't have a list of affected KVM switches. I only know that they all share the same firmware with branding modifications. The original firmware was made by Emerson's Avocent," he said.
"In a previous vulnerability for this KVM (CVE-2013-0526), people from OpenVAS pointed me to look at Shodan for ‘AEWS+%2B301+Moved+Permanently' to locate some of them. I've checked that these KVMs are also prone to new vulnerabilities."
Researchers at Kaspersky Labs reported suffering similar issues with contacting Dell in a blog post. At the time of publishing Dell had not responded to V3's request for comment.
Dell and IBM are two of many firms to have flaws found in their products in recent weeks. Cisco was forced to release a security update on Friday for multiple versions of its Small Office/Home Office (SoHo) routers, fixing a critical flaw that left users open to attack by hackers.

No comments:

Post a Comment