LANDesk OS: Command Injection Vulnerability

Users of LANDesk OS please be advised of a command injection vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

CORE-2010-1018: [CORE-2010-1018] Landesk OS command injection
Impact: Code execution
*Vulnerability Description*

The LANDesk division of Avocent Corporation [1] provides systems
management, security management, service desk, asset management, and
process management solutions to organizations. The company’s software is
used worldwide.

A security vulnerability was discovered in LANDesk Management Suite: The
Landesk web application does not sufficiently verify if a well-formed
request was provided by the user who submitted the request. Using this
information an external remote attacker can run arbitrary code using the
‘gsbadmin’ user (that is the user running the web-server).
Read more at http://www.criticalwatch.com

 

Advertisements