Cyclades AlterPath Manager Information Disclosure

Product:
AlterPath Manager (APM) Console Server

Released:
01/23/2005

Description:
AlterPath Manager (APM) reveals sensitive system information without authentication.

Systems Affected:
AlterPath Manager 1.1.0 and below

Technical Description:
The APM reveals sensitive information, including:

  • Boot Version
  • Kernel Version
  • Config Version
  • OS Version
  • AP Version
  • Hardware information

This information is available through the web interface via the /about.html page.

Fix/Workaround:
This issue was corrected in APM release 1.2.0. For older versions, it may be possible to disable the web interface and connect to consoles via SSH only.

Vendor Status:

  • Cyclades was notified on 12/13/2004 and confirmed receipt on 12/14/2004.
  • Cyclades responded to an inquiry on 1/20/2005 to confirm version 1.2.5 would address this issue.
  • Cyclades responded to an inquiry on 2/15/2005 to state they still did not have a release date, but did not respond with more information.
  • Released on 2/23/2005.
  • Cyclades responded on 2/25/2005 to clear up version information.

Contacts:
sullo@cirt.net

References:
Updated information can be found on OSVDB.org under the following entries:

OSVDB-14073 Cyclades AlterPath Manager Information Disclosure

Updates:

  • Advisory listed 1.2.0 as vulnerable, which was incorrect. This was fixed as of APM version 1.2.0.
  • Vulnerabilities: