COMMAND

    Xylan OmniSwitch "features"

SYSTEMS AFFECTED

    Systems running Xylan OmniSwitch 3.1.8, 3.2.3 (others?)

PROBLEM

    'pmsac' found following  after he stepped  into two "features"  of
    Xylan OmniSwitches (also works on Pizza).  These switches are sold
    OEM to Alcatel (which just bought Xylan) and IBM.

    Number one:
    ===========
    Anyone can telnet to the switch and login, without knowing  either
    user or passwod  strings. No permission  will be given  to perform
    any command,  which is  not so  bad.   This could  work as  a DoS,
    because  software  versions  until  3.1.8  (don't know about later
    ones) only allow one interactive session, displaying a message  of
    "System alread in use" in other attempts.  However, since you  can
    do this  DoS even  without logging  in (just  sitting at the login
    prompt) it's not much of a DoS.

        [pmsac@localhost pmsac]$ telnet switch
        Trying www.xxx.yyy.zzz...
        Connected to www.xxx.yyy.zzz.
        Escape character is '^]'.



        Welcome to the Xylan OmniSwitch! Version 3.1.8
        login   : ajsdkal
        password:

          **********************************************************************

        Xylan OmniSwitch - Copyright (c), 1994-1998 XYLAN Inc.
        All rights reserved.

    When you get the password prompt, just press ctrl+d (^D), the user
    string is arbitrary.  You won't get privileges to run any command,
    not  even  the  "exit"  one,  you  have  to  close  the connection
    "manually".

    Number two:
    ===========
    Anyone  can  ftp  to  the  switch,  whitout knowing either user or
    password  strings.   Everyone  is  allowed  to  read  all files in
    the flash,  and even  upload files  (but not  remove or  overwrite
    existing ones).   Since reading  all files  gives access  to  SNMP
    community  strings,  this  could  be  trouble, which are stored in
    clear text on one of the files, and writing files, well, just  use
    your imagination.

    This was tested on software version 3.1.8.

SOLUTION

    The "telnet"  vulnerability was  fixed prior  to software  release
    3.2.6.