DDIVRT-2009-24 Precidia Ether232 Memory Corruption

["DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert () ddifrontline com>]

Title

-----

DDIVRT-2009-24 Precidia Ether232 Memory Corruption

 

Severity

--------

Medium

 

Date Discovered

---------------

March 10th, 2009

 

Discovered By

-------------

Digital Defense, Inc. Vulnerability Research Team

Credit: Steven James and princeofnigeria and r@b13$

 

Vulnerability Description

-------------------------

Certain Precidia Ether232 devices contain memory overwrite and
authentication flaws.

 

By making malformed GET requests to the built-in web server on certain
Precidia Ether232 devices, it is possible to arbitrarily overwrite
memory on the device and cause unknown impact.

 

Solution Description

--------------------

At this point in time, Precidia Technologies has not provided a firmware
upgrade addressing the memory corruption flaw. As a workaround, Precidia
Technologies suggests that users disable the web server on the device
through the serial or telnet configuration interface.

 

Tested Systems / Software (with versions)

------------------------------------------

Precidia Ether3201-232 w/ firmware 3.00.250

Precidia Ether232 Duo w/ firmware 5.00.02

Other versions are believed to be vulnerable.

 

Vendor Contact

--------------

Vendor Name: Precidia Technologies

Vendor Website: http://www.precidia.com

Contact Information: solutions () precidia com, support () precidia com

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/