Holes in Fujitsu Siemens' server products
German security service provider RedTeam Pentesting has reported vulnerabilities in Fujitsu Siemens products that may compromise server security. For instance, the ServerView management tool exhibits a critical flaw in a CGI script that might allow attackers to execute arbitrary commands on the server. The bug resides in the script DBAsciiAccess, which offers a ping functionality for network checks. An IP address can be entered as parameter that is forwarded to the ping tool without proper sanitization. Simply adding a semicolon to the address is sufficient to allow arbitrary shell commands to be appended, which will be executed with the privileges of the web server.
While the RedTeam experts do not specify whether or not authentication is required prior to accessing ServerView from the web, they recommend that access for untrusted users be blocked as a workaround. The bug has been fixed in ServerView version 4.50.09 for Linux. It seems that Fujitsu Siemens does not mention that the new version closes a critical hole.
The Fujitsu Siemens BX300 Switch Blade product also discloses information that can be exploited for attacks. For instance, the web interface may display information on the current configuration, such as the SNMP community string, even where authentication has failed. Fujitsu Siemens has been informed of this problem, but has obviously decided to not fix it.
- Fujitsu-Siemens ServerView Remote Command Execution, security advisory by RedTeam Pentesting
- Fujitsu-Siemens PRIMERGY BX300 Switch Blade Information Disclosure, security advisory by RedTeam Pentesting