SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Alcatel-Lucent OmniSwitch Vendors:   Alcatel-Lucent
Alcatel OmniSwitch Management Web Server Stack Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1020657
SecurityTracker URL:  http://securitytracker.com/id/1020657
CVE Reference:   CVE-2008-4383   (Links to External Site)
Updated:  Oct 8 2008
Original Entry Date:  Aug 12 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.4.1.429.R01, 5.1.6.463.R02, 6.1.3.965.R01, 6.1.5.595.R01, 6.3.1.966.R01
Description:   A vulnerability was reported in Alcatel OmniSwitch. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted "Cookie: Session=" header value to trigger a stack overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The vulnerability resides in the Agranet-Emweb embedded management web server.

The following OmniSwitch versions are affected:

OS7000 Series
OS6600 Series
OS6800 Series
OS6850 Series
OS9000 Series

The vendor was notified on May 22, 2008.

Deral Heiland of www.LayeredDefense.com reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued the following fixes (AoS Releases):

* 5.4.1.429.R01 and above
* 5.1.6.463.R02 and above
* 6.1.3.965.R01 and above
* 6.1.5.595.R01 and above
* 6.3.1.966.R01 and above

The vendor's advisory is available at:

http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm

Vendor URL:  www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Layered Defense Research Advisory: Alcatel-Lucent

==================================================
Layered Defense Research Advisory 12 August 2008
==================================================
1) Affected Product
Alcatel-Lucent OmniSwitch products
OS7000
OS6600
OS6800
OS6850
OS9000
==================================================
2) Severity Rating:
critical
Impact: Remotely exploitable without authentication.
==================================================
3) Description of Vulnerability
A stack based buffer overflow was discovered within Alcatel 
OmniSwitch product line.
This buffer overflow was discovered within the Agranet-Emweb embedded 
management web server and can be exploited remotely without user 
authentication.
The vulnerability can be triggered on a 6200-24 running AOS Version 
5.4.1.396.R01 by sending 2392 bytes in the http header "Cookie: 
Session=" This appears to overwrite a return address on the stack 
giving the attacker control of the instruction pointer. The amount of 
bytes needed to trigger the overflow varies between AOS versions.
==================================================
4) Solution
Fix:
1. Install AOS upgrades as recommended by Vendor
2. Disable Web services on OmniSwitch products
==================================================
5) Time Table:
05/21/2008 Reported Vulnerability to Vendor.
06/27/2008 Vendor acknowledged the vulnerability
08/06/2008 Vendor published hot fix
==================================================
6) Credits Discovered by Deral Heiland, www.LayeredDefense.com
==================================================
7) Reference
http://www1.alcatel-lucent.com/psirt/statements/2008002/OmniSwitch.htm
https://wws.cert-ist.com/fast-cgi/AV/Details.cgi?lang=eng&action=1&format=3&ref=CERT-IST/AV-2008.333
==================================================
8) About Layered Defense Layered Defense, Is a group of security 
professionals that work together on ethical Research, Testing and 
Training within the information security arena. http://www.layereddefense.com
==================================================

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC