Zero-Day Vulnerability Found in Novell ZENworks

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Rapid7 researcher Juan Vazquez recently uncovered a zero-day security flaw in Novell ZENworks Asset Management 7.5.

"ZENworks Asset Manager is a Web-based management console that integrates asset inventory, software usage, software management and contract management," writes Threatpost's Brian Donohue. "Users can also access network device data and edit information through the console."

"Vazquez ... explains that the web console of ZENworks Asset Management provides two maintenance calls that can be used with hard-coded credentials," The H Security reports. "One of the calls allows remote attackers to gain access to the filesystem, while the other call gives details of the software's backend database credentials in clear text. Vazquez discovered the vulnerability in August and immediately wrote a Metasploit module to exploit it."

"We are currently unaware of a practical solution to this problem," the United States Computer Emergency Readiness Team (US-CERT) states.

Submit a Comment

Loading Comments...