Security bugs on console servers

All those bugs were discovered during a research in 2005 (German) on console servers. Most of them are fixed or supposedly fixed by now. Upgrade your firmware.

  • acs-ssl.retrieval.txt: pulling RSA PRIVATE KEY from a Cyclades ACS *)
  • acs.cyclades.ssldump.txt: using this SSL key to sniff HTTPS session (watch out for line containing the username/password pair)
  • avocent-sshbug.txt: circumventing port-based user ACL's on an Avocent CCM
  • mrv-sshbug.txt: circumventing port-based user ACL's on an MRV In-Reach by SSH public key authentication
  • rari-problems.txt: 1) no password for uid sshd and dominion, 2) world readable /etc/shadow, 3) world writeable /bin/busybox *)
  • scs.nmap.txt: not an immediate problem, but what has nmap to do on a console server?
  • slc-problems.txt: Lantronix' SLC suffered 1) from the fact that SSH private keys were under doc-root of web server (and mini_httpd doesn't care about ACL's), 2) logfiles are publicy viewable since they are under doc-root, too *)

  • Issues marked w/ *) means: only n/w access needed, no credentials.