vendor:
NetAccess
by:
Sebastian Wolfgarten
7.5
CVSS
HIGH
Arbitrary file disclosure
CWE
Product Name: NetAccess
Affected Version From:
Affected Version To: 4.1.9.6
Patch Exists: YES
Related CWE:
CPE:
Platforms Tested:
2007
Arbitrary file disclosure vulnerability in IP3 NetAccess leads to full system compromise
Due to inproper input validation, all NetAccess devices with a firmware version less than 4.1.9.6 are vulnerable to an arbitrary file disclosure vulnerability. This vulnerability allows an unauthenticated remote attacker to abuse the web interface and read any file on the remote system. Due to the fact that important system files are world-readable, this does include /etc/shadow and thus leads to a full compromise of the device! In addition, an attacker is able to gain access to the proprietary code base of the device and potentially identify as well as exploit other (yet unknown) vulnerabilities.
Mitigation:
To address this problem, the vendor has released a new firmware version (4.1.9.6) which is available at http://ww