Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

From: Jacek Lipkowski (sq5bpfat_private)
Date: Tue Oct 15 2002 - 07:10:26 PDT

Next message: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."

Previous message: the Pull: "RE: "Camera/Shy the Steganographical Browser""
Next in thread: Mike Scher: "Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches"
Reply: Mike Scher: "Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

1. Problem Description

Two undocummented accounts with default passwords allow access via telnet
and the web interface to Cajun P550R/P580/P880/P882 switches. Both
accounts give developer access to the switch. The vulnerability can be
avioded by upgrading to software version 5.3.0 or later and disabling the
accounts.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P580 software version 5.2.14

All previous software versions are assumed to be vulnerable. This
problem is present in P550R,P580,P880 and P882.

3. Details

The vulnerable firmware installs the following strings into the switch
configuration by default:

username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
access-type admin
username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
access-type read-write
username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
access-type read-write

The only documented password is for the root user. This user can't
change the diag and manuf accounts.

The un-documented passwords are:

user	password
----	--------
diag	danger
manuf	xxyyzz

Both of these accounts give developer access to the switch (read-write
access-type), which is more priviliged than normal administrative access
(admin access-type).

4. Recommendations

As always it is good administrative practice to block access to
administrative interfaces (telnet, web) at the firewall. Upgrading to
software version 5.3.0 or later and disabling the accounts resolves ths
issue.

As a temporary workaround download the configuration file via tftp, edit
out these accounts, or change their password hashes, and upload it to the
switch.


5. Vendor status

AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
responsive and worked promptly on the problem. I have agreed to release the
information after the release of the official AVAYA advisory. The official
Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
Avaya support site http://support.avaya.com.

Official AVAYA security advisories are located at
http://support.avaya.com/security/

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpfat_private

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl

Next message: Alan Rouse: "RE: J2EE EJB privacy leak and DOS."
Previous message: the Pull: "RE: "Camera/Shy the Steganographical Browser""
Next in thread: Mike Scher: "Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches"
Reply: Mike Scher: "Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 16:09:45 PDT