Date: Wed, 6 Feb 2002 20:43:28 +0100
From: Markus Hennig <mhennig@astaro.com>
To: bugtraq@securityfocus.com
Subject: Astaro Response: Vulnerabilities in Astaro Security Linux 2.016
Hi,
thankyou for the testing, we will fix the relevant issues in=20
Up2Date 2.021, which will be out really soon.=20
All Astaro users please note, that some of the mentioned issues are=20
pretty theoretical and none of them contain any remote vulnerabilities.
=20
Best Regards,
Markus
> -----Original Message-----
> From: J=F6rg L=FCbbert [mailto:Joerg.Luebbert@t-online.de]
> Sent: Saturday, February 02, 2002 7:40 PM
> To: bugtraq@securityfocus.com
> Subject: Vulnerabilities in Astaro Security Linux 2.016
>=20
>=20
> Preamble:
>=20
> Product: Astaro Security Linux
>=20
> Version: 2.016
>=20
> Vendor: Astaro AG
>=20
> Vendor URL: http://www.astaro.com
>=20
> Vendor status and reply: Vendor has been contacted with=20
> posting of this=20
> message
>=20
> Description:
> Astaro develops and distributes the firewall solution Astaro Security=20
> Linux. Astaro Security Linux offers extensive protection for local=20
> networks against hackers, viruses and other risks of=20
> connecting to the=20
> Internet. Astaro Security Linux is distributed by a worldwide=20
> network of=20
> partners who offer local support regarding installation and=20
> maintenance.
>=20
> Introduction:
> Dear BugTraq readers. I've taken a short glimpse on Astaro Security=20
> Linux and found out some points of interest that are mostly design=20
> flaws. Please note that I am theorising (based on a 1 1/2=20
> hour research=20
> only) about the impacts and have not proven their concepts on Astaro=20
> Security Linux yet even though most can be proved easily.
>=20
> Some of the vulnerabilities might be local and some might argue about=20
> that Astaro Security Linux is a Firewall and no server... but=20
> as it uses=20
> SSHD it could always be that the "loginuser" account might have been=20
> compromised and shell access granted.
>=20
>=20
>=20
> Vulnerabilities:
>=20
> Summary:
> 5 Design flaws
> 2 Completely theorised design flaws
> 1 Possible design flaw
> 1 Licensing violation
> 1 Software bug
>=20
>=20
>=20
> Category 1: Design flaw
>=20
