The SpiderLabs team at Trustwave published a new advisory today, which details a vulnerability identified in the Avocent Cyclades ACS Web Manager. The Avocent Advanced Console Server, or ACS, is a series of devices which provide remote management needs for medium to large data centers. All ACS devices come with a web management console that provides easy configuration for administrators.
The vulnerability was discovered by Martin Murfitt, who is a member of the SpiderLabs EMEA Penetration Testing team. Martin discovered a way to bypass authentication on the web console, which allowed him to view security settings on the device. Dynamic content was not generated using this technique, so changes to the device were not possible. Avocent has released a patch to this vulnerability as of March 10, 2011. The patch link (Version 3.3.0-6) can be seen below:
http://www.avocent.com/Support_Firmware/ACS/ACS_Advanced_Console_Servers.aspx