Vulnerability Note VU#930956
Multiple ANTlabs InnGate models allow unauthenticated read/write to filesystem
Original Release date: 26 Mar 2015 | Last revised: 26 Mar 2015

Overview
ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple models and firmware versions of the InnGate has been shown to allow read/write access to remote unauthenticated users via a misconfigured rsync instance.

Description
CWE-276: Incorrect Default Permissions
The instance of rsync included with the InnGate firmware is incorrectly configured to allow the entire filesystem to be read/write without authentication. A remote unauthenticated attacker may read or modify any file on the device’s filesystem. More details can be found in a blog post from Cylance, Inc.

Devices containing affected firmware include:

IG 3100 model 3100, model 3101
InnGate 3.00 E-Series, 3.01 E-Series, 3.02 E-Series, 3.10 E-Series
InnGate 3.01 G-Series, 3.10 G-Series

Impact
A remote unauthenticated attacker may read or modify any file on the device’s filesystem.

Solution
Update the firmware

According to the ANTlabs Security Advisory, a software update addressing this vulnerability has been released. Users are encouraged to upgrade affected devices’ software as soon as possible. Affected users may contact ANTlabs Support (tech-support@antlabs.com) for more information or to obtain the software update.

If a firmware update is currently not possible, the following workaround may help mitigate this issue.
Block rsync

Administrators may block unrestricted access to the rsync TCP port 873 on the affected network.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedANTlabsAffected03 Mar 201526 Mar 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.3
E:F/RL:OF/RC:C

Environmental
6.2
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.antlabs.com/index.php?option=com_content&view=article&id=195:rsync-remote-file-system-access-vulnerability-cve-2015-0932&catid=54:advisories&Itemid=133
http://blog.cylance.com/spear-team-cve-2015-0932

Big Vulnerability in Hotel Wi-Fi Router Puts Guests at Risk

Credit

Credit to Justin W. Clarke of Cylance Inc. for reporting this vulnerability. Also a thank you to ANTlabs for quickly addressing this vulnerability.
This document was written by Garret Wassermann.

Other Information

CVE IDs:
CVE-2015-0932

Date Public:
26 Mar 2015

Date First Published:
26 Mar 2015

Date Last Updated:
26 Mar 2015

Document Revision:
48

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply