COMMAND
Xylan OmniSwitch "features"
SYSTEMS AFFECTED
Systems running Xylan OmniSwitch 3.1.8, 3.2.3 (others?)
PROBLEM
'pmsac' found following after he stepped into two "features" of
Xylan OmniSwitches (also works on Pizza). These switches are sold
OEM to Alcatel (which just bought Xylan) and IBM.
Number one:
===========
Anyone can telnet to the switch and login, without knowing either
user or passwod strings. No permission will be given to perform
any command, which is not so bad. This could work as a DoS,
because software versions until 3.1.8 (don't know about later
ones) only allow one interactive session, displaying a message of
"System alread in use" in other attempts. However, since you can
do this DoS even without logging in (just sitting at the login
prompt) it's not much of a DoS.
[pmsac@localhost pmsac]$ telnet switch
Trying www.xxx.yyy.zzz...
Connected to www.xxx.yyy.zzz.
Escape character is '^]'.
Welcome to the Xylan OmniSwitch! Version 3.1.8
login : ajsdkal
password:
**********************************************************************
Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc.
All rights reserved.
When you get the password prompt, just press ctrl+d (^D), the user
string is arbitrary. You won't get privileges to run any command,
not even the "exit" one, you have to close the connection
"manually".
Number two:
===========
Anyone can ftp to the switch, whitout knowing either user or
password strings. Everyone is allowed to read all files in
the flash, and even upload files (but not remove or overwrite
existing ones). Since reading all files gives access to SNMP
community strings, this could be trouble, which are stored in
clear text on one of the files, and writing files, well, just use
your imagination.
This was tested on software version 3.1.8.
SOLUTION
The "telnet" vulnerability was fixed prior to software release
3.2.6.