|Advisory Summary||Some security scanners show that the HTTP OPTIONS/DELETE methods are enabled, flagging a potential vulnerability without any further check, triggering a false alarm over Command Enterprise.|
|Products or Components||Command Enterprise|
|Addressed in Release||No Impact to March Networks products|
Some security scanners show that the HTTP OPTIONS/DELETE methods are enabled, flagging a potential vulnerability without any further check.
In older web servers, the HTTP OPTIONS and DELETE methods were not widely used and were not standardized as part of the HTTP specification. Their use and functionality varied across different servers and implementations. HTTP OPTIONS was mainly used as an experimental method to retrieve information about the server’s communication options, but its use and purpose was not consistent across servers. The HTTP DELETE method was used in some cases to request the deletion of a file, but it was not a standardized method for file deletion in the web.
Nowadays, the HTTP OPTIONS method is widely used as a standard way for clients to request information about the communication options available for a resource in a RESTful API, including which methods are supported, while the HTTP DELETE method is used as a standard way to request the deletion of a resource. It’s important to note that REST is just an architectural style, and its implementation may vary. However, following REST best practices and using established security measures, such as secure data transmission via TLS and proper input validation, can help reduce the risk of security vulnerabilities in a RESTful application.
The RESTful API used in our Command Enterprise allows the executions of these methods only after verifying the authorization, and only using TLS encrypted channels, so the presence of these methods doesn’t impact its security in any way.
Feb 3, 2023 – Initial public report
March Networks’ assessment of this security vulnerability is contingent on the March Networks products being updated to the recommended release and/or security patch level and that the system has been deployed and configured, in accordance to March Networks security recommendations and industry best practices. IT IS THE CUSTOMER’S RESPONSIBILITY TO EVALUATE THE EFFECT OF ANY SECURITY VULNERABILITY. A failure to update March Networks products and/or to follow March Networks recommendations or industry best practices may increase the risk associated with a security vulnerability. March Networks follows industry leading practices in addressing security vulnerabilities in our products. While March Networks cannot guarantee that our products will be free from security vulnerabilities, we are committed to providing updates and security fixes, for our supported products, if and when a high security vulnerability is determined to affect March Networks products.