Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches

[Mike Scher <mscher () neohapsis com>]

In response to tbe below, we examined this issue on a Cajun P550 (not
550R) with software version 4.3.5.

We found:

1) The accounts (manuf and diag) are clearly present in the config and
easily seen with 'show running-conf' or 'show startup-conf'
2) They are system accounts and cannot be deleted
3) They have by default the passwords indicated by Mr. Lipkowski
4) They CAN have their passwords changed by the 'root user' and the
changes save sucessfully across reloads.

We'd ask that others verify (for other software/hardware combinations)
whether they can change the account passwords ( 'username manuf password
foo' ), and save them ( 'copy running-config startup-config' ), reload,
and check whether the passwords changes have saved.

As an aside:

While testing, we noticed that accounts with the same password show the
same saved hash, indicating that only one salt is in use.  That may be a
legacy item on the P550, which is discontinued and stuck at 4.3.5 version
software.

We'd ask others to check whether this (minor, but nevertheless real) issue
is present in newer revisions as well.

      -Mike

-- 
Michael Scher         |     Director, Neohapsis Labs
mscher () neohapsis com  |     General Counsel

On Tue, 15 Oct 2002, Jacek Lipkowski wrote:

> Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
>
> 1. Problem Description
>
> Two undocummented accounts with default passwords allow access via telnet
> and the web interface to Cajun P550R/P580/P880/P882 switches. Both
> accounts give developer access to the switch. The vulnerability can be
> avioded by upgrading to software version 5.3.0 or later and disabling the
> accounts.
>
> 2. Tested systems
>
> The following versions were tested and found vulnerable:
>
> Avaya Cajun P580 software version 5.2.14
>
> All previous software versions are assumed to be vulnerable. This
> problem is present in P550R,P580,P880 and P882.
>
> 3. Details
>
> The vulnerable firmware installs the following strings into the switch
> configuration by default:
>
> username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
> access-type admin
> username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
> access-type read-write
> username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
> access-type read-write
>
> The only documented password is for the root user. This user can't
> change the diag and manuf accounts.
>
> The un-documented passwords are:
>
> user  password
> ----  --------
> diag  danger
> manuf xxyyzz
>
> Both of these accounts give developer access to the switch (read-write
> access-type), which is more priviliged than normal administrative access
> (admin access-type).
>
> 4. Recommendations
>
> As always it is good administrative practice to block access to
> administrative interfaces (telnet, web) at the firewall. Upgrading to
> software version 5.3.0 or later and disabling the accounts resolves ths
> issue.
>
> As a temporary workaround download the configuration file via tftp, edit
> out these accounts, or change their password hashes, and upload it to the
> switch.
>
>
> 5. Vendor status
>
> AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
> responsive and worked promptly on the problem. I have agreed to release the
> information after the release of the official AVAYA advisory. The official
> Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
> Avaya support site http://support.avaya.com.
>
> Official AVAYA security advisories are located at
> http://support.avaya.com/security/
>
> 6. Disclaimer
>
> Neither I nor my employer is responsible for the use or misuse of
> information in this advisory.  The opinions expressed are my own and not
> of any company.  Any use of the information is at the user's own risk.
>
>
> Jacek Lipkowski sq5bpf () andra com pl
>
> Andra Co. Ltd.
> ul Wynalazek 6
> 02-677 Warsaw, Poland
> http://www.andra.com.pl