Correction: There is no vulnerability... just a careless oversight.
There appears to be a vulnerability in Astaro 7.x
This seems to be a design flaw by nature.
The remote login to the box is open - evidently on all interfaces- with no apparent way to close it. I've confirmed with one other user on this forum that many failed "console logins" are being attempted. I've searched every possible place in the configuration tree of the GUI and there is no place that either allows or denies these connections. In fact on my box there is no logs of this activity either. This is almost a back door but for the fact that the activity is logged on the Executive Reports. One can restrict Web Admin connections in the rational ways, but terminal logins are completely overlooked.
Please note. Astaro is using "Console Login" as synonymous with "Terminal Login" so for Astaro, console logins can be remote connections as well as local to the hardware. I thought this was confusing.
Again to see if your ASL box is being hit in this manner, check the Executive Reports for Failed Console logins.
Be CERTAIN that your passwords are complex and as random as possible.
Regards
This thread was automatically locked due to age.
