Hi,

this is another bug I encountered during my research on console servers.

Summary:
Port Access Control Bypass Vulnerability on MRVs
In-Reach console servers.

Details:
MRV's In-Reach console servers come with feature that enables access to
their ports by ssh public keys. As opposed to e.g. standard password
based authentication it's not checked whether the user is allow to
access this port (note: on modern console servers you can set
port permissions on user basis). Research showed that port-based restrictions
were nullified which means that every user can access consoles of every
device hooked up if they were set up by the administrative account of the
console server to use ssh public key authentication.


Vulnerable Versions:
Tested on "Software Version 3.5.0", tested on InReach
LX-8000, 4000 and 1000 series.


Patches/Workarounds:
Vendor has released 3.5.1 which according to vendors information
should fix the issue (Rel-Notes of 3.5.1 and 3.5.0.1 however don't mention
it). For more info see http://service.mrv.com/support/index.cfm

Alternatively administrators on MRV In-Reach console servers should
not allow users using ssh public key based authentication.

Exploit:
Design Flaw, exploit not needed.


Cheers,
        Dirk


--
Dr. Dirk Wetter                                  http://drwetter.org
Consulting IT-Security + Open Source
Key fingerprint = 80A2 742B 8195 969C 5FA6  6584 8B6E 59C1 E41B 9153