Wiki source code of Security Advisory 2012-09-13

Version 15.1 by Arthur Heffern on 2012/09/17 11:08

author	version	line-number	content
		1
		2
		3	(% style="color: rgb(0, 0, 0); color: rgb(51, 51, 51)" %)This advisory discloses security vulnerabilities that we have found in iSymphony and fixed in a recent version of iSymphony.
		4
		5	* Customers who have downloaded and installed iSymphony should implement OS-based firewalling to their existing iSymphony installations to fix this vulnerability. (% style="color: rgb(0,0,0);" %)
		6
		7	(% style="color: rgb(0,0,0);" %)i9 Technologies is committed to improving product security and an update will be posted which addresses this issue.(% style="color: rgb(255,0,0);" %)
		8
		9
		10	If you have questions or concerns regarding this advisory, please raise a support request at [[http:~~/~~/www.getisymphony.com/support>>url:http://www.getisymphony.com/support\|\|shape="rect"]].
		11
		12	In this advisory:
		13
		14
		15
		16	{{toc/}}
		17
		18	= Security Vulnerabilities =
		19
		20	== Vulnerability ==
		21
		22	==== Severity ====
		23
		24	MEDIUM - HIGH
		25
		26	==== Risk Assessment ====
		27
		28	iSymphony Server CLI connection on TCP port 50001 does not have IP/Subnet based permission schema. If your iSymphony Server installation's TCP port 50001 is accessible via a network connection and not firewalled, the CLI may be subject to malicious attackers, or internal organization information may be obtained from telnet based usage of this port.
		29
		30	==== Vulnerability ====
		31
		32	iSymphony does not provide a mechanism implementing IP based permissions allowing for selective source-address connections to the iSymphony Command Line Interface.
		33
		34	==== Fix ====
		35
		36	Utilize IPTables / IPChains (Linux), IPFW (BSD), 3rd Party Firewall implementation or appliance to effect firewalling based filtering prohibiting access to TCP Port 50001 on machine hosting the iSymphony Server component.