Security Advisory 2012-09-13
This advisory discloses security vulnerabilities that we have found in the iSymphony Server component.
- Customers who have downloaded and installed iSymphony should implement OS-based firewalling to their existing iSymphony installations to fix this vulnerability.
i9 Technologies is committed to improving product security and an update will be posted which addresses this issue.
If you have questions or concerns regarding this advisory, please raise a support request at http://www.getisymphony.com/support.
Security Vulnerabilities
Vulnerability
Severity
MEDIUM - HIGH
Risk Assessment
iSymphony Server CLI connection on TCP port 50001 does not have IP/Subnet based permission schema. If your iSymphony Server installation's TCP port 50001 is accessible via a network connection and not firewalled, the CLI may be subject to malicious attackers, or internal organization information may be obtained from telnet based usage of this port.
Vulnerability
iSymphony does not provide a mechanism implementing IP based permissions allowing for selective source-address connections to the iSymphony Command Line Interface.
Fix
Utilize IPTables / IPChains (Linux), IPFW (BSD), 3rd Party Firewall implementation or appliance to effect firewalling based filtering prohibiting access to TCP Port 50001 on machine hosting the iSymphony Server component.