SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Cajun Network Switches Vendors:   Avaya
Avaya P330/P130 and G700 Switches Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1007014
SecurityTracker URL:  http://securitytracker.com/id/1007014
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 4 2005
Original Entry Date:  Jun 19 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Prior to 4.0; Avaya P330/P130 and G700
Description:   A denial of service vulnerability was reported in the Avaya Cajun P330/P130 switch and the G700 Media Gateway. A remote user can cause the device to reboot.

It is reported that a remote user can connect to the switch on TCP port 4000 and send a five byte packet, where the first four bytes are negative integer values, to cause the switch to stop processing traffic and reboot. According to the report, a single attack can cause the switch to become unavailable for about 30 seconds.

A demonstration exploit command is provided:

printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000

Impact:   A remote user can cause the device to stall and then reboot. This can be done repeatedly to cause sustained denial of service conditions.
Solution:   The vendor recommends that P330 users upgrade to version 4.1, available at:

http://support.avaya.com

The vendor recommends that P130 users upgrade to software version 2.14, available at:

http://support.avaya.com

The vendor plans to issue a firmware upgrade for the G700 in February 2005. Until then, you can block traffic at the firewall which may be targeted for the affected ports (TCP 4000 and UDP 4501).

Vendor URL:  support.avaya.com/security/ (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  Denial of service in Cajun P13x/P33x switch family firmware 3.x


1. Problem Description

There exists a denial of service attack in the AVAYA Cajun P33x and P13x
switch family with firmware versions 3.x. It is possible to stop the
switch for 30 seconds. By repeating the attack access can be denied for
arbitrarily long periods of time.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.12.1
Avaya Cajun P333R software version 3.12.0
Avaya Cajun P133 software version 2.6.1

Other versions are are believed to be vulnerable.

Additionally Avaya has found the G700 Media Gateway to be also vulnerable.

3. Details

By connecting to tcp port 4000 on the switch and sending at least five
bytes, of which the first four represent a negative integer will cause the
switch to stall, after some time the switch reboots. Example:

sq5bpf@hash:~$ printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000
(UNKNOWN) [192.168.66.3] 4000 (?) open
[the connections stalls]

The time the switch needs to become operational again is about 30 seconds,
after this time the attack can be repeated.

4. Recommendations

As always it is good administrative practice to block unknown traffic to
network devices. Upgrading the switch to version 4.x also seems to fix the
problem.

5. Vendor status

AVAYA was informed on 3 Jun 2003. The vendor responded on 4 Jun 2003. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after 17 Jun 2003. The fixed software is
avaliable from the Avaya support site http://support.avaya.com. Official
AVAYA security advisories are located at
http://support.avaya.com/security/

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf@andra.com.pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC