ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple models and firmware versions of the InnGate has been shown to allow read/write access to remote unauthenticated users via a misconfigured rsync instance.
CWE-276: Incorrect Default Permissions
The instance of rsync included with the InnGate firmware is incorrectly configured to allow the entire filesystem to be read/write without authentication. A remote unauthenticated attacker may read or modify any file on the device's filesystem. More details can be found in a blog post from Cylance, Inc.
A remote unauthenticated attacker may read or modify any file on the device's filesystem.
Update the firmware
Credit to Justin W. Clarke of Cylance Inc. for reporting this vulnerability. Also a thank you to ANTlabs for quickly addressing this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2015-03-26|
|Date Last Updated:||2015-03-26 14:59 UTC|