Security Advisory 2012-09-13
This advisory discloses security vulnerabilities that we have found in the iSymphony Server component.
- Customers who have downloaded and installed iSymphony should implement OS-based firewalling to their existing iSymphony installations to fix this vulnerability.
i9 Technologies is committed to improving product security and an update will be posted which addresses this issue.
If you have questions or concerns regarding this advisory, please raise a support request at http://www.getisymphony.com/support.
Security Vulnerabilities
Vulnerability
Severity
HIGH
Risk Assessment
iSymphony, by default uses the following TCP ports to communicate with the outside world:
TCP Port Number | Purpose |
|---|---|
50000 | Client <-> Server Event Communication |
50001 | Command Line Interface |
50002 | Text Based Presence Status Socket |
50003 | Embedded HTTP Server To Serve Java WebStart (JNLP) Files |
iSymphony Server TCP sockets on the above listed TCP port numbers do not have IP/Subnet based permission schema. If your iSymphony Server installation's ports 50001 to 50003 are accessible via a network connection and not firewalled, the the above ports may be subject to malicious attackers, or internal organization information may be obtained from telnet based usage of this port (see note below).
Vulnerability
iSymphony does not provide a mechanism implementing IP based permissions allowing for selective source-address connections to the iSymphony Command Line or Text Based Interfaces.
Fix
Utilize IPTables / IPChains (Linux), IPFW (BSD), 3rd Party Firewall implementation or appliance to effect firewalling based filtering prohibiting unauthorized access to TCP Ports listed above on machine hosting the iSymphony Server component.