lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.53.0306181508510.5729@hash.intra.andra.com.pl>
Date: Wed, 18 Jun 2003 19:16:03 +0200 (CEST)
From: Jacek Lipkowski <sq5bpf@...ra.com.pl>
To: bugtraq@...urityfocus.com
Subject: Denial of service in Cajun P13x/P33x switch family firmware 3.x


1. Problem Description

There exists a denial of service attack in the AVAYA Cajun P33x and P13x
switch family with firmware versions 3.x. It is possible to stop the
switch for 30 seconds. By repeating the attack access can be denied for
arbitrarily long periods of time.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.12.1
Avaya Cajun P333R software version 3.12.0
Avaya Cajun P133 software version 2.6.1

Other versions are are believed to be vulnerable.

Additionally Avaya has found the G700 Media Gateway to be also vulnerable.

3. Details

By connecting to tcp port 4000 on the switch and sending at least five
bytes, of which the first four represent a negative integer will cause the
switch to stall, after some time the switch reboots. Example:

sq5bpf@...h:~$ printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000
(UNKNOWN) [192.168.66.3] 4000 (?) open
[the connections stalls]

The time the switch needs to become operational again is about 30 seconds,
after this time the attack can be repeated.

4. Recommendations

As always it is good administrative practice to block unknown traffic to
network devices. Upgrading the switch to version 4.x also seems to fix the
problem.

5. Vendor status

AVAYA was informed on 3 Jun 2003. The vendor responded on 4 Jun 2003. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after 17 Jun 2003. The fixed software is
avaliable from the Avaya support site http://support.avaya.com. Official
AVAYA security advisories are located at
http://support.avaya.com/security/

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf@...ra.com.pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ