COMMAND

    Nortel's switches

SYSTEMS AFFECTED

    Nortel's new Contivity seris extranet switches

PROBLEM

    John  Daniele  found  following.   Nortel's  new  Contivity  seris
    extranet  switches  give  administrators  the  ability to enable a
    small  HTTP  server  and  use  Nortel's  web  based administration
    utility to handle configuration  and maitenance.  The  server runs
    atop the VxWorks operating system and is located in the  directory
    /system/manage.   A  CGI  application,  /system/manage/cgi/cgiproc
    that is  used to  display the  administration html  pages does not
    properly  authenticate  users  prior  to  processing requests.  An
    intruder can view any file on the switch without logging in.

    Method of exploitation?  Pretty much a no brainer:

        http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.

    (interesting     places     to     look:     /system/filelist.dat,
    /system/version.dat, /system/keys, /system/core, etc.)

    The only entry found in the event/security logs after exploitation
    is this:

         09:44:23 tEvtLgMgr 0 : Security [12] Management: Request for cgiproc denied. requires login

    Also,   this   same   application   does   not   properly   escape
    metacharacters such as '$', '!', resulting in total system crash:

        http://x.x.x.x/manage/cgi/cgiproc?$

    Nothing is found  in the security/event  logs after reboot.   This
    was tested  on a  Contivity 2500  running version  2_50.91 of  the
    VxWorks OS.   However, the  cgiproc application  has been  (guess)
    part of the package since their initial release, therefore earlier
    versions may also be affected.

    This was tested on the latest  build, 2.51 build 07 too and  it is
    vulnerable.

SOLUTION

    Nortelwas contacted and opened a case (CR# 118887 - cgiproc 'bug',
    CR# 118890 - DoS).  A patch has been developed and is scheduled to
    be  released  with  their  next  shipment  of the VxWorks package.
    Those administrators that have properly configured the switch, and
    placed adequate  access control/filtering  rules on  the managemnt
    virtual ip should not have any immediate concerns.

    As a  user of  the aforementioned  product, its  important to note
    that only the  management side (read:  your internal network)  can
    access the HTTP server of the switch.