Dataprobe, Inc. Information for VU#167623

SHDesigns Resident Download Manager does not authenticate firmware downloads

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blog.tmcnet.com/blog/tom-keating/computer-hardware/dataprobe-ibootbar-review.asp

Addendum

We have reached out to the vendor regarding the SHDesigns RDM vulnerability.

    Additionally, the cookie authentication bypass vulnerability reported in the tmcnet.com blog was assigned CVE IDs as follows:

    CVE-2007-6759 = Dataprobe iBootBar (with 2007-09-20 and possibly later
    released firmware) allows remote attackers to bypass authentication,
    and conduct power-cycle attacks on connected devices, via a DCRABBIT
    cookie.

    CVE-2007-6760 = Dataprobe iBootBar (with 2007-09-20 and possibly later
    beta firmware) allows remote attackers to bypass authentication, and
    conduct power-cycle attacks on connected devices, via a DCCOOKIE
    cookie.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.