lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0612170120580.21196@jalava.cc.jyu.fi>
Date: Sun, 17 Dec 2006 01:22:31 +0200 (EET)
From: Pasi Sjoholm <ptsjohol@...jyu.fi>
To: bugtraq@...urityfocus.com
Subject: Allied Telesis AT-9000/24 Ethernet switch management can be accessed
 from all VLANs.

1. Overview

The AT-9000/24 Ethernet switch's management can be accessed 
from any VLAN which has been configured to switch.

Normally remote management (SNMP, telnet, http) should be 
only available from management VLAN and with AT-9000/24 
this can't be chosen. Only option for the management 
VLAN is "Default VLAN" (ID 1).

>From User's guide, page 200:
--cut--
The remote management station must be a member of the switch.s
Default VLAN. The switch responds and processes management
packets only if they are received on an untagged port of the Default
VLAN.
--cut--

However when switch is configured to consist more VLANs than
just the "Default VLAN" the management is also available for
all of these VLANs.

This means that the management of the switch is available 
for cracking attemps. The cracker only has to get the
information in which subnet (ip-address) the switch
management responds and of course the passwords to
access the management.

For example:

a) SNMP agent has been enabled (not enabled by default) 
with the default community passwords in the AT-9000/24 switch. 
Port setting can be reset easily after this. 
Eg. mirror all the "development-VLAN" packets to a port 
in a "DMZ-vlan" which consists a compromised server. 
Packets can be captured for later analyzing.

b) Default admin-account "manager" password is left to default
one because admin trusts that the switch only handles the
packets from the "Default VLAN". A unauthorized person
marks the port which he communicating through to another
VLAN as a tagged port. Now the unauthorized person has a
access to another VLAN.

2. Affected Versions

The current "AT-9000/24 Management System Version 1.1.0.06" and prior
are affected.

3. Solution

Software upgrade:
Allied Telesis is working on to fix this bug. However the release
date is unknown.

Workaround:
Unset ip-address for the switch and use only local management through
serial cable.

4. Timeline

The vulnerability was first discovered on 12th December 2006, and was
reported to Allied Telesis support on the same day. 

The Allied Telesis development center has confirmed the bug on
14th December 2006.

5. References

AT-S84 User's guide
http://www.alliedtelesyn.com/datasheets/s84_ug_a_v11.pdf

AT-9000/24 Homepage
http://www.alliedtelesyn.com/products/details.aspx?604

-- 
Pasi Sjöholm

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ