OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Axel Hammer (alpha01grafx-design.de)
Date: Mon May 14 2001 - 04:03:54 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Device:
    Allied Telesyn AT-AR220e, Firmware 1.08a RC14, combined DSL/Cable-Router, NAT,
    Firewall, HTML-Config
    This Device is equipped with the function 'Virtual Server', which is a
    portmapper WAN -> LAN.
    The 'Virtual Server'-functionality can be disabled completely and single
    portmappings can be disabled each, too.

    Problem:
    If a portmapping is set-up, e.g.
    Status; Global Port; Internal Port; Internal IP; Protocol
    disabled; 80; 80; 192.168.0.1; TCP

    AND the Virtual-Server-Feature is enabled, there is no check for the
    enabled/disabled setup of each of the single portmappings. They still remain
    active.

    Impact:
    It is possible to gain access to mapped services, which may be left unsecured.

    Solution:
    Unused mappings should be deleted from the list-of-portmappings. If there are no
    used mappings at all, the Virtual-Server-feature should be disabled.

    Vendor-Status:
    Informed on 2001-14-05

    Regards, Axel
    P.S.: first posting ;-)

    --
    de:
    GRAFX & DESIGN
    marketing
    Michael-Imhof-Str. 17
    86609 Donauwörth
    Tel.: +49 (0)906-705706-11
    Fax: +49 (0)906-705705-12
    Mobile: +49 (0)171-9321435
    infografx-design.de
    http://www.grafx-design.de