IBM System Networking Switch Center FileReader.jsp Information Disclosure Vulnerability
28 Jan. 2016
Race condition in the administration-panel web service in IBM System Networking Switch Center (SNSC) before 220.127.116.11 and Lenovo Switch Center before 18.104.22.168 allows remote attackers to obtain privileged-account access, and consequently provide FileReader.jsp input containing directory traversal sequences to read arbitrary text files, via a request to port 40080 or 40443.
The information has been provided by Andrea Micalizzi (rgod).
* IBM System Networking Switch Center (SNSC) before 22.214.171.124 and Lenovo Switch Center before 126.96.36.199
* IBM System Networking Switch Center (SNSC) after 188.8.131.52 and Lenovo Switch Center after 184.108.40.206
This vulnerability allows remote attackers to disclose information on vulnerable installations of IBM System Networking Switch Center. Authentication is not required to exploit this vulnerability. The specific flaws exist within the IBM SNSC Web Service, which listens by default on ports 40080 (HTTP) or 40443 (HTTPS) for requests to the administration panel. The first is a race condition, which allows the for the temporary use of a fixed privileged account which is forbidden from interactive login, and the second is a directory traversal vulnerability in FileReader.jsp. By combining these two vulnerabilities, an attacker can read arbitrary text files on the system.