Security update for LANDesk Management Gateway
An error in the web interface of the LANDesk Management Gateway can be used by an attacker to create their own commands and pass them to the shell of the underlying system to be run with root privileges. According to the appliance manufacturer, the affected versions are 4.0-1.48 and 4.2-1.8.
The software update GSBWEB_61 closes the hole. According to Core Security, which discovered the problem, the flaw can only be exploited in conjunction with cross-site request forgery. The error report therefore describes not only the command injection vulnerability, but also the CSRF vulnerability and a cross-site scripting vulnerability.
See also:
- LANDesk Management Gateway GSB Software Vulnerability, a report from LANDesk.
- LANDesk Command Injection, a report by Core Security.
(djwm)