Avaya P330/P130 and G700 Switches Can Be Crashed By Remote Users
SecurityTracker Alert ID: 1007014|
SecurityTracker URL: http://securitytracker.com/id/1007014
(Links to External Site)
Updated: Jan 4 2005|
Original Entry Date: Jun 19 2003
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Prior to 4.0; Avaya P330/P130 and G700|
A denial of service vulnerability was reported in the Avaya Cajun P330/P130 switch and the G700 Media Gateway. A remote user can cause the device to reboot.|
It is reported that a remote user can connect to the switch on TCP port 4000 and send a five byte packet, where the first four bytes are negative integer values, to cause the switch to stop processing traffic and reboot. According to the report, a single attack can cause the switch to become unavailable for about 30 seconds.
A demonstration exploit command is provided:
printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000
A remote user can cause the device to stall and then reboot. This can be done repeatedly to cause sustained denial of service conditions.|
The vendor recommends that P330 users upgrade to version 4.1, available at:|
The vendor recommends that P130 users upgrade to software version 2.14, available at:
The vendor plans to issue a firmware upgrade for the G700 in February 2005. Until then, you can block traffic at the firewall which may be targeted for the affected ports (TCP 4000 and UDP 4501).
Vendor URL: support.avaya.com/security/ (Links to External Site)
Exception handling error|
Source Message Contents
Subject: Denial of service in Cajun P13x/P33x switch family firmware 3.x|
1. Problem Description
There exists a denial of service attack in the AVAYA Cajun P33x and P13x
switch family with firmware versions 3.x. It is possible to stop the
switch for 30 seconds. By repeating the attack access can be denied for
arbitrarily long periods of time.
2. Tested systems
The following versions were tested and found vulnerable:
Avaya Cajun P330T software version 3.12.1
Avaya Cajun P333R software version 3.12.0
Avaya Cajun P133 software version 2.6.1
Other versions are are believed to be vulnerable.
Additionally Avaya has found the G700 Media Gateway to be also vulnerable.
By connecting to tcp port 4000 on the switch and sending at least five
bytes, of which the first four represent a negative integer will cause the
switch to stall, after some time the switch reboots. Example:
sq5bpf@hash:~$ printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000
(UNKNOWN) [192.168.66.3] 4000 (?) open
[the connections stalls]
The time the switch needs to become operational again is about 30 seconds,
after this time the attack can be repeated.
As always it is good administrative practice to block unknown traffic to
network devices. Upgrading the switch to version 4.x also seems to fix the
5. Vendor status
AVAYA was informed on 3 Jun 2003. The vendor responded on 4 Jun 2003. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after 17 Jun 2003. The fixed software is
avaliable from the Avaya support site http://support.avaya.com. Official
AVAYA security advisories are located at
Neither I nor my employer is responsible for the use or misuse of
information in this advisory. The opinions expressed are my own and not
of any company. Any use of the information is at the user's own risk.
Jacek Lipkowski firstname.lastname@example.org
Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland