Vulnerability Note VU#930956
Multiple ANTlabs InnGate models allow unauthenticated read/write to filesystem
ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple models and firmware versions of the InnGate has been shown to allow read/write access to remote unauthenticated users via a misconfigured rsync instance.
CWE-276: Incorrect Default Permissions
The instance of rsync included with the InnGate firmware is incorrectly configured to allow the entire filesystem to be read/write without authentication. A remote unauthenticated attacker may read or modify any file on the device's filesystem. More details can be found in a blog post from Cylance, Inc.
A remote unauthenticated attacker may read or modify any file on the device's filesystem.
Update the firmware
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|ANTlabs||Affected||03 Mar 2015||26 Mar 2015|
CVSS Metrics (Learn More)
Credit to Justin W. Clarke of Cylance Inc. for reporting this vulnerability. Also a thank you to ANTlabs for quickly addressing this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-0932
- Date Public: 26 Mar 2015
- Date First Published: 26 Mar 2015
- Date Last Updated: 26 Mar 2015
- Document Revision: 48
If you have feedback, comments, or additional information about this vulnerability, please send us email.