@Thecus: N5200/2.00.04 vulnerabilities

Printable View

21-12-2007, 09:10 AM
fajo66

@Thecus: N5200/2.00.04 vulnerabilities

@Thecus,

please check tSupport for the following issues (partly CRITICAL):

AGK-30478-710
BTW-14968-778
CDH-48427-714
KWX-84921-681
KOX-86555-282

Two of them got a status of "bounced" which seems to be caused by the notofication mail not being delivered. If you (or your R&D guys) do not find one of these tickets please get back to me (take the email address from one of the tickets visible)

Best regards,
Falk John
21-12-2007, 09:17 AM
Thecus - Yvon

Re: @Thecus: N5200/2.00.04 vulnerabilities

Dear Sir,

Thanks for post about these tickets, in fact we have some meeting about your issue for several times, thus we would reply to you directly.

Yvon.
22-12-2007, 01:37 AM
fajo

Re: @Thecus: N5200/2.00.04 vulnerabilities

Yvon,

there are 4 more tickets (numbers below).

JSW-66307-431 (CRITICAL)
EKX-11950-455
CDI-96011-760
EKL-94221-327

Best regards,
Falk
22-12-2007, 10:29 AM
peterfu

Re: @Thecus: N5200/2.00.04 vulnerabilities

Hi Falk,
any reason why You don't share with us the problems?
br
Peter
22-12-2007, 11:32 AM
trinode

Re: @Thecus: N5200/2.00.04 vulnerabilities

yeah,
if these vulnerabilities are there, dont owners deserve to know before their system's are victim?

Knowing about something wrong with a product and not advising users is the best way to end up with lawyers on your back and really bad press.
22-12-2007, 12:11 PM
fajo

Re: @Thecus: N5200/2.00.04 vulnerabilities

To avoid answereing everyone by PM ...

if I would post details on vulnerabilities no one except an owner of such a box will probably find your box WILL become a victim before Thecus is able to provide fixes. The last fixes took 4 months.

What I can tell is that the WebUI is vulnerable to shell code injection - most of the issues require successful authentication so the risk is there but can be controlled.

Best regards and Merry Christmas,
Falk
22-12-2007, 12:29 PM
peterfu

Re: @Thecus: N5200/2.00.04 vulnerabilities

OK - I understand that security vulnerables are not posted public
br
Peter
23-12-2007, 05:21 PM
trinode

Re: @Thecus: N5200/2.00.04 vulnerabilities

I think what we need to know is:

Do we need to disable access to the thecus units via the internet?
(And whether it's just the N5200's that are affected)

Obviously if all the issues require successful authentication before anything can be done, that is less of an issue.
23-12-2007, 05:44 PM
fajo

Re: @Thecus: N5200/2.00.04 vulnerabilities

Some of the vulnerabilities do not require to be authenticated, some do.

I would suggest not to open the WebUI to untrusted networks as long as no pre-authentication (Firewall, Proxy, ...) is performed - so, in most cases disable access to the WebUI from outside your LAN.

Since I do not own other boxes then N5200/Pro I can not tell for sure if these vulnerabilities exist on others as well but I suppose that at least 1U4500 and N4100 may be affected. I will try to check these FWs today and will come back with the results.

/Falk