SECURITY vulnerability in ECS-K7S5A(L) boards

[Guy Van Sanden <unixmafia () flashmail com>]

A repost, my previous one seem to have failed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

____________________________________________________________________________

SECURITY vulnerability in ECS-K7S5A(L) boards
____________________________________________________________________________



DESCRIPTION
===========

The administrator-password set in the BIOS of the K7S5A(L) locks out BIOS-access
from the console.  However, it does not disable access to the boot-menu.  Eventhough
the system is configured to boot from harddrive only, and has an admin-password set,
someone with physical access to the system can still boot from floppy or CD using
the boot-menu.


IMPACT
======

Security: Moderate

Any person with physical access to the machine can reboot from a removable medium
(introduced by him-self).  By doing this, authentication mechanisms on the machine can
be bypassed, composmising the data on the system and the system itself.

Working from this compromised system with e.g. root/admin access can threaten the rest
of a network, depending on the architecture and authentication mechanisms.


AFFECTED VERSIONS
=================

All K7S5AL-boards, confirmed up to BIOS V.02/02/06


WORKARROUNDS
============

None at this moment, restrict physical access to the console where possible.

FIXES
=====

None at this moment.


VENDOR STATUS
=============
[Tue Apr 30 17:43:50 CEST 2002] Notified


____________________________________________________________________________
Guy Van Sanden
http://unixmafia.port5.com
mailto:unixmafia () flashmail com

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDuyKzERBACU7yaPqHrhZ/eQr85zFByf5p5wdsZ9Wfyt6P3x4BxUebePWRka
XYNseAf9HpsZgYFZM20lnwl4uD+HjiZiX1If+IQgjfReZa1H//7ppfj3d4Db5tw2
8j2mbIiUCW4l1l8cnf+dKNiOjQ2fxP+zilPyt+NDP4cUOb1R3k9BntHgowCglRAd
cjFnSnOz3ReJTZxNfZQLabkD/3qrCpvlgZFvX296h0WiuBMd1T5s044cbFVX5X9w
XYiiyXTWnsp7Za02t9mw9X0/s3N3gi1wS/7vrM6JrZOnZ61AFCb4lqVBHzIA09yM
dmY1L9xXIuuu9LPUlkKrQo3XyqpraWJn4D5WAcigmkp5ESw1Q+sdg3e3B/P1nJfA
p51IBACTcGR9f9H6DIYEgrrNVWjsRIvR2GblPgqocWuqJQHfM2jU652tdGx9PmlL
hXnu2O1MnWSxWFEqYfBunln1JdGfcgw410LKoFz7Sbl/rnMwTb4pVtKUce0vwB5r
ImwYIScEheboxIXOPF4lGmfJKCHK4V/izt3wWnzYNKtUviEU57QoR3V5IFZhbiBT
YW5kZW4gPHVuaXhtYWZpYUBmbGFzaG1haWwuY29tPohXBBMRAgAXBQI7sisxBQsH
CgMEAxUDAgMWAgECF4AACgkQ1265aYIRFcRtQQCfcI+CFvgSIjvnSbtlnY8ybwW/
jJQAn0bAs7REPFZSVIxOeSOpeHDsmH4yuQENBDuyKzIQBACBnAov8n/xP+FQyM/m
SGFugTatgP5EijuiHDbFojmhi5p8zlT+ZyKG+hza/u1kx6J8iD4SvD1xpU7ge6vN
X6IYtz0yTLH2bDVYwaHBRUQD3j1GipLZSc7ml/45TMi/kPMu4Bfr6dUG1ddtP8H8
5XNOoOt04P+FnVGOKKjn9tCDVwADBQP/Xz5V+kPQaG14M77nlYGDlYofoZVOsEhu
6jRc59Xzr6pLCYNLCo9Pby37K7K82BYG5YhQPyVlC7nCNYxWoJuKUj49Mg6uDnLP
zYCRo88jur6E3FMp6r9PxUZrrvHZ5gW1fqBBTCWjVCYOytdTaGF2tXH8EOnnXF1B
5tZUNveY156IRgQYEQIABgUCO7IrMgAKCRDXbrlpghEVxEe1AJwNMo3dNfTHggVM
wNIk5LmMOoNSXQCfedBhObZEFyDLxDn2Vfj3p5MGWNE=
=96yY
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8zvuP1265aYIRFcQRAnjyAJ9vEvhPBevJ99qF1DQRQ0IlGo6nuQCgg4RJ
DrP3pAWRvqwcVMY48mOUUZw=
=5u7x
-----END PGP SIGNATURE-----