3COM-06-002
TippingPoint™ SMS Information Disclosure

May 09, 2006

CVE ID:
CVE-2006-0993

Affected Vendor:
3Com TippingPoint

Affected Products:
TippingPoint SMS Server

Severity Assessment : Low

Vulnerability Details:
3Com has identified a vulnerability in the TippingPoint SMS Server product. This vulnerability allows remote attackers to bypass some authentication requirements on vulnerable installations, leading to a limited information disclosure.

The specific flaw exists within the web management interface. Due to insufficient protections on specific directories, an attacker with access to the web interface may be able to view benign data such as the user manual. In the event that the device was being used for backup purposes, it may be possible for an attacker to identify additional information such as configuration settings. Device configuration “best practices” advise against using the SMS Server for backup purposes.

The TippingPoint IPS device itself is not affected by this vulnerability.

Update Availability:
This issue has been addressed in TippingPoint SMS Server release version
2.2.1.4478. Customers can obtain the update through the SMS device or by
visiting http://tmc.tippingpoint.com and downloading SMS_2.2.1_4478.pkg.

Workarounds:
There are currently no known workarounds for this issue. Customers should upgrade to the latest version of SMS 2.2, and avoid backing up configuration data to the SMS server.

Credit:
This vulnerability was discovered by Micheal Cottingham and reported through the Zero Day Initiative.

Support:
Technical support is available by contacting TippingPoint Technical Support
at 866-681-8324.