Product:
AlterPath Manager (APM) Console Server

Released:
01/23/2005

Description:
AlterPath Manager (APM) reveals sensitive system information without authentication.

Systems Affected:
AlterPath Manager 1.1.0 and below

Technical Description:
The APM reveals sensitive information, including:

• Boot Version
• Kernel Version
• Config Version
• OS Version
• AP Version
• Hardware information

This information is available through the web interface via the /about.html page.

Fix/Workaround:
This issue was corrected in APM release 1.2.0. For older versions, it may be possible to disable the web interface and connect to consoles via SSH only.

Vendor Status:

• Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
• Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
• Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
• Released on 2/23/2005.
• Cyclades responded on 2/25/2005 to clear up version information.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

Updates: