LONDON (02/27/2004) - A security hole in Dell Inc. OpenManage server could leave the product open to attack by an unauthorised user. The problem has been identified as high risk by security consultancy Secunia.
Perhaps even more alarmingly, the user who discovered the problem, wirepair, found that the Dell support desk seemed unable to comprehend the problem and an e-mail to the company produced an "out of office" message from, seemingly, the only guy available to deal with the issue.
Secunia said that the vulnerability is caused due to a boundary error in the Web server when handling certain HTTP POST requests. POST is an extremely common HTML method of processing forms but can be exploited by sending a message with a hidden but extremely long variable to cause a heap overflow.
The vulnerability can be side-stepped by restricting access to Port 1311/TCP and only allowing trusted IP addresses to connect. However, without that in place, a denial of service or system access are readily achievable.
It's not so much the vulnerability that's of concern though but the way Dell has dealt with the problem. As wirepair describes it, the support desk heard the words "buffer overflow" and immediately launched into buffer under-run mode. It's not impressive that the world's second largest PC company thinks security problems can be explained away by an over-full hard disk. Does the support department spend its time leafing through the BOFH Excuse of the Day list?
And contacting Dell through the firstname.lastname@example.org email address only brought up an 'out of the office' message. As wirepair, sourly comments: "Perhaps they should consider hiring two security officers."
Oh yes, we contacted Dell for a response but haven't received one, as yet.