Hi Zen Masters.
Some vulnerabilities has been discovered in the last week and they have
been reported to the zen developer team through bug tracker as medium
severity. For this reason they are going to be solved in the next release.
The reported bug is explained here:
http://itsecuritysolutions.org/2012-09-21-ZEN-Load-Balancer-v2.0-and-v3.0-rc1-multiple-vulnerabilities/
Issues:
1.- Arbitrary command execution (through authenticated admin)
2.- Arbitrary file upload (through authenticated admin)
3.- Access to local data and file listing (through unathenticated user)
When is exploitable:
These issues are exploitable when the attacker knows the admin password. In
that case, the attacker could go through the ssh login to enter to the
system.
How to mitigate:
To run the exploit with success the attacker needs to know the admin
password. In that case the exploit will be the least of your problems.
1º Be sure that the web gui isn't running in a network interface with
public access. By default the web gui is running in all interfaces, to
change this:
In the web gui menu go to "Setting >> Servers >> in "Local configuration"
change --All interfaces-- in the select box named "Physical interface where
is running GUI service" by a private interface.
2º If your ZenLB admin user has the default password, please change it as
soon as possible.
3º Use a different port number for management than the default 444.
Thanks to itsecuritysolutions about the report.
We'll be in contact with the latest news.
--
Load balancer distribution - Open Source Project
http://www.zenloadbalancer.com
Distribution list (subscribe): [email protected]
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Zenloadbalancer-support mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/zenloadbalancer-support
