This advisory discloses security vulnerabilities that we have found in the iSymphony Server component.
- Customers who have downloaded and installed iSymphony should implement OS-based firewalling to their existing iSymphony installations to fix this vulnerability.
i9 Technologies is committed to improving product security and an update will be posted which addresses this issue.
If you have questions or concerns regarding this advisory, please raise a support request at http://www.getisymphony.com/support.
iSymphony, by default uses the following TCP ports to communicate with the outside world:
|TCP Port Number||Purpose|
|50000||Client <-> Server Event Communication|
|50001||Command Line Interface|
|50002||Text Based Presence Status Socket|
|50003||Embedded HTTP Server To Serve Java WebStart (JNLP) Files|
iSymphony Server TCP sockets on the above listed TCP port numbers do not have IP/Subnet based permission schema. If your iSymphony Server installation's ports 50001 to 50003 are accessible via a network connection and not firewalled, the the above ports may be subject to malicious attackers, or internal organization information may be obtained from telnet based usage of this port (see note below).
Port 50000 does utilize encryption for server-client authentication and message passing, so it would be incredibly unlikely for malicious attackers to utilize this port in any meaningful fashion.
iSymphony does not provide a mechanism implementing IP based permissions allowing for selective source-address connections to the iSymphony Command Line or Text Based Interfaces.
Utilize IPTables / IPChains (Linux), IPFW (BSD), 3rd Party Firewall implementation or appliance to effect firewalling based filtering prohibiting unauthorized access to TCP Ports listed above on machine hosting the iSymphony Server component.