Bugtraq mailing list archives
Telnet DoS Vulnerability in Marconi ATM Switch Software
From: "Christopher Kruslicky" <anub-securityfocus () open mine nu>
Date: Tue, 4 Sep 2001 13:02:05 -0400
INTRO: Marconi ATM switches can be configured with IP addresses for remote administration via telnet and web interfaces. There is a bug that can be used to deny telnet access to the switch, the web interface does not appear vulnerable and console management is unaffected. HISTORY: http://www.securityfocus.com/bid/2400 Marconi ForeThought 6.2 had an administrative DoS vulnerability in its TCP/IP, this was fixed by Marconi as of FT6.2.0_1.73390. Newer versions of ForeThought include a second telnet session intended only for administrative users. The idea is that if someone is logged into the switch the second login would be reserved for users with administrative privileges. DESCRIPTION: The upgrade Marconi released did fix the problem with the underlying TCP stack, however there is another higher layer bug that allows both telnet sessions to be locked, completely preventing standard telnet access to the switch. Unfortunately the vulnerability is such that some port scans may trigger it unintentionally. Also, there is no way to clear the locked sessions even from a console connection (security telnet kill 0, for example, has no effect.) Rebooting the switch is the only known way to make those telnet sessions available again. DETAILS: Hardware tested: Marconi ASX-200, P5 cpu Software version: ForeThought 71.1.0_1.83325.bin Test software: nmap V. 2.53 Command issued: RPCgrind scan against telnet port (23) Results: security telnet show-> Will show the User ID as "Logging in..." along with the IP address that connected to the switch. Also the idle time will stay at 0s forever, while there is no underlying TCP connection state associated with this session. WORKAROUND(s): Marconi was notified at the end of July. Engineers have found the bug and will have a fixed version available shortly. In the meantime, telnet access to Marconi ASX switches should be allowed only from management networks. The version of ForeThought tested has an IPFilter option which seems a viable workaround (security ipf). It appears to drop any packet destined for an internal IP on the switch that isn't sourced from a host or network listed in the IPF rules. Christopher Kruslicky -- Quidquid latine dictum sit, altum viditur.
Current thread:
- Telnet DoS Vulnerability in Marconi ATM Switch Software Christopher Kruslicky (Sep 04)