Telnet DoS Vulnerability in Marconi ATM Switch Software

From: Christopher Kruslicky (anub-securityfocusat_private)
Date: Tue Sep 04 2001 - 10:02:05 PDT

Next message: aleph1at_private: "Gauntlet Vulnerability"

Previous message: Gary L. Burnore: "Re: [ Hackerslab bug_paper ] Informix-SQL application vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

INTRO:
Marconi ATM switches can be configured with IP addresses for remote
administration via telnet and web interfaces.  There is a bug that can be
used to deny telnet access to the switch, the web interface does not appear
vulnerable and console management is unaffected.

HISTORY:
http://www.securityfocus.com/bid/2400
Marconi ForeThought 6.2 had an administrative DoS vulnerability in its
TCP/IP, this was fixed by Marconi as of FT6.2.0_1.73390.  Newer versions of
ForeThought include a second telnet session intended only for administrative
users.  The idea is that if someone is logged into the switch the second
login would be reserved for users with administrative privileges.

DESCRIPTION:
The upgrade Marconi released did fix the problem with the underlying TCP
stack, however there is another higher layer bug that allows both telnet
sessions to be locked, completely preventing standard telnet access to the
switch.  Unfortunately the vulnerability is such that some port scans may
trigger it unintentionally.  Also, there is no way to clear the locked
sessions even from a console connection (security telnet kill 0, for
example, has no effect.)  Rebooting the switch is the only known way to make
those telnet sessions available again.

DETAILS:
Hardware tested:  Marconi ASX-200, P5 cpu
Software version: ForeThought 71.1.0_1.83325.bin
Test software:    nmap V. 2.53
Command issued:   RPCgrind scan against telnet port (23)
Results:          security telnet show->
                  Will show the User ID as "Logging in..." along with the IP
address that connected to the switch.  Also the idle time will stay at 0s
forever, while there is no underlying TCP connection state associated with
this session.

WORKAROUND(s):
Marconi was notified at the end of July.  Engineers have found the bug and
will have a fixed version available shortly.  In the meantime, telnet access
to Marconi ASX switches should be allowed only from management networks.
The version of ForeThought tested has an IPFilter option which seems a
viable workaround (security ipf).  It appears to drop any packet destined
for an internal IP on the switch that isn't sourced from a host or network
listed in the IPF rules.


Christopher Kruslicky
--
Quidquid latine dictum sit, altum viditur.

Next message: aleph1at_private: "Gauntlet Vulnerability"
Previous message: Gary L. Burnore: "Re: [ Hackerslab bug_paper ] Informix-SQL application vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 16:40:16 PDT