Skip to Content

Wiki source code of Security Advisory 2012-09-13

Version 15.1 by Arthur Heffern on 2012/09/17 11:08
Show last authors
1
2
3 (% style="color: rgb(0, 0, 0); color: rgb(51, 51, 51)" %)This advisory discloses security vulnerabilities that we have found in iSymphony and fixed in a recent version of iSymphony.
4
5 * **Customers who have downloaded and installed iSymphony **should implement OS-based firewalling to their existing iSymphony installations to fix this vulnerability. (% style="color: rgb(0,0,0);" %)
6
7 (% style="color: rgb(0,0,0);" %)i9 Technologies is committed to improving product security and an update will be posted which addresses this issue.(% style="color: rgb(255,0,0);" %)
8
9
10 If you have questions or concerns regarding this advisory, please raise a support request at [[http:~~/~~/www.getisymphony.com/support>>url:http://www.getisymphony.com/support||shape="rect"]].
11
12 **In this advisory:**
13
14
15
16 {{toc/}}
17
18 = Security Vulnerabilities =
19
20 == Vulnerability ==
21
22 ==== Severity ====
23
24 MEDIUM - HIGH
25
26 ==== Risk Assessment ====
27
28 iSymphony Server CLI connection on TCP port 50001 does not have IP/Subnet based permission schema. If your iSymphony Server installation's TCP port 50001 is accessible via a network connection and not firewalled, the CLI may be subject to malicious attackers, or internal organization information may be obtained from telnet based usage of this port.
29
30 ==== Vulnerability ====
31
32 iSymphony does not provide a mechanism implementing IP based permissions allowing for selective source-address connections to the iSymphony Command Line Interface.
33
34 ==== Fix ====
35
36 Utilize IPTables / IPChains (Linux), IPFW (BSD), 3rd Party Firewall implementation or appliance to effect firewalling based filtering prohibiting access to TCP Port 50001 on machine hosting the iSymphony Server component.