Opengear console servers vulnerable to authentication bypass


Opengear console servers contains an authentication bypass vulnerability.

Opengear console servers are for managing servers and network products. Opengear console servers contain an authentication bypass vulnerability.

Tadayoshi Nakahira reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

  • Opengear console server firmware versions prior to 2.2.1

Console servers that use the above firmware versions are vulnerable.

A remote attacker may change the settings in the Opengear console server or gain access to products that are connected to the console server.

[Update the Firmware]
Update to the latest version of the firmware, according to the information provided by the developer.

According to the developer, this vulnerability was addressed in firmware version 2.2.1.
Vendor Information

CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-3997

  1. JVN : JVN#71349007
  2. National Vulnerability Database (NVD) : CVE-2011-3997
Revision History

  • [2011/11/04]
      Web page published