SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cajun Network Switches Vendors:   Avaya
Avay Cajun Switches Feature Undocumented Maintenance Accounts That Allow Remote Users to Gain Privileged Access
SecurityTracker Alert ID:  1005441
SecurityTracker URL:  http://securitytracker.com/id/1005441
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 17 2002
Impact:   Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.2.14 and prior versions (P882, P880, P580, and P550R)
Description:   Several default account vulnerabilities were reported in Avaya's Cajun network switches. A remote user could gain developer privileges on the system.

It is reported that a remote user can use two undocummented accounts with default passwords to gain access via telnet or the web interface on Cajun P550R/P580/P880/P882 switches. The user can gain 'developer' privileges on the switch, which is reported to be of greater privilege than normal administrative access.

According to the report, the following strings are installed in the switch configuration by default:

username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
access-type admin
username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
access-type read-write
username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
access-type read-write

The passwords for the 'diag' (danger) and 'manuf' (xxyyzz) accounts apparently cannot be changed.

Impact:   A remote user can gain privileged access to the switch.
Solution:   The vendor has released a fixed version (5.3.0) for the P882, P880, P580, and P550R systems, which allow you to disable the vulnerable accounts. The updated software is available at:

http://support.avaya.com

For information on how to disable the manuf and diag accounts, see "Disabling User Accounts" on page 2-19 in the Version 5.3 manual.

Vendor URL:  support.avaya.com/japple/css/japple?PAGE=avaya.css.OpenPage&temp.template.name=Avaya_P580_P882_Undocumented (Links to External Site)
Cause:   Configuration error

Message History:   None.


 Source Message Contents

Subject:  Undocumented account vulnerability in Avaya P550R/P580/P880/P882


Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

1. Problem Description

Two undocummented accounts with default passwords allow access via telnet
and the web interface to Cajun P550R/P580/P880/P882 switches. Both
accounts give developer access to the switch. The vulnerability can be
avioded by upgrading to software version 5.3.0 or later and disabling the
accounts.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P580 software version 5.2.14

All previous software versions are assumed to be vulnerable. This
problem is present in P550R,P580,P880 and P882.

3. Details

The vulnerable firmware installs the following strings into the switch
configuration by default:

username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
access-type admin
username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
access-type read-write
username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
access-type read-write

The only documented password is for the root user. This user can't
change the diag and manuf accounts.

The un-documented passwords are:

user	password
----	--------
diag	danger
manuf	xxyyzz

Both of these accounts give developer access to the switch (read-write
access-type), which is more priviliged than normal administrative access
(admin access-type).

4. Recommendations

As always it is good administrative practice to block access to
administrative interfaces (telnet, web) at the firewall. Upgrading to
software version 5.3.0 or later and disabling the accounts resolves ths
issue.

As a temporary workaround download the configuration file via tftp, edit
out these accounts, or change their password hashes, and upload it to the
switch.


5. Vendor status

AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
responsive and worked promptly on the problem. I have agreed to release the
information after the release of the official AVAYA advisory. The official
Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
Avaya support site http://support.avaya.com.

Official AVAYA security advisories are located at
http://support.avaya.com/security/

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf@andra.com.pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC