INTRO: Marconi ATM switches can be configured with IP addresses for remote administration via telnet and web interfaces. There is a bug that can be used to deny telnet access to the switch, the web interface does not appear vulnerable and console management is unaffected. HISTORY: http://www.securityfocus.com/bid/2400 Marconi ForeThought 6.2 had an administrative DoS vulnerability in its TCP/IP, this was fixed by Marconi as of FT6.2.0_1.73390. Newer versions of ForeThought include a second telnet session intended only for administrative users. The idea is that if someone is logged into the switch the second login would be reserved for users with administrative privileges. DESCRIPTION: The upgrade Marconi released did fix the problem with the underlying TCP stack, however there is another higher layer bug that allows both telnet sessions to be locked, completely preventing standard telnet access to the switch. Unfortunately the vulnerability is such that some port scans may trigger it unintentionally. Also, there is no way to clear the locked sessions even from a console connection (security telnet kill 0, for example, has no effect.) Rebooting the switch is the only known way to make those telnet sessions available again. DETAILS: Hardware tested: Marconi ASX-200, P5 cpu Software version: ForeThought 71.1.0_1.83325.bin Test software: nmap V. 2.53 Command issued: RPCgrind scan against telnet port (23) Results: security telnet show-> Will show the User ID as "Logging in..." along with the IP address that connected to the switch. Also the idle time will stay at 0s forever, while there is no underlying TCP connection state associated with this session. WORKAROUND(s): Marconi was notified at the end of July. Engineers have found the bug and will have a fixed version available shortly. In the meantime, telnet access to Marconi ASX switches should be allowed only from management networks. The version of ForeThought tested has an IPFilter option which seems a viable workaround (security ipf). It appears to drop any packet destined for an internal IP on the switch that isn't sourced from a host or network listed in the IPF rules. Christopher Kruslicky -- Quidquid latine dictum sit, altum viditur.
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 16:40:16 PDT