Dataprobe, Inc. Information for VU#167623

SHDesigns Resident Download Manager does not authenticate firmware downloads

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blog.tmcnet.com/blog/tom-keating/computer-hardware/dataprobe-ibootbar-review.asp

Addendum

We have reached out to the vendor regarding the SHDesigns RDM vulnerability.

Additionally, the cookie authentication bypass vulnerability reported in the tmcnet.com blog was assigned CVE IDs as follows:

CVE-2007-6759 = Dataprobe iBootBar (with 2007-09-20 and possibly later
released firmware) allows remote attackers to bypass authentication,
and conduct power-cycle attacks on connected devices, via a DCRABBIT
cookie.

CVE-2007-6760 = Dataprobe iBootBar (with 2007-09-20 and possibly later
beta firmware) allows remote attackers to bypass authentication, and
conduct power-cycle attacks on connected devices, via a DCCOOKIE
cookie.

If you have feedback, comments, or additional information about this vulnerability, please send us email.