Alcatel leaves LAN switch software back door wide open

A security vulnerability in Alcatel SA’s OmniSwitch 7000 series LAN switches could lead to an attacker gaining full control over the switches, Alcatel warned.

Alcatel OmniSwitch 7700 and 7800 switches running the Alcatel Operating System (AOS) version 5.1.1 are affected, Alcatel said in a security advisory this week. The Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie Mellon University in Pittsburgh issued a separate warning on Thursday.

In the vulnerable systems, a telnet server listens for connections on TCP (Transmission Control Protocol) port 6778 and accepts connections without requiring a password, creating a back door that provides full administrative control over the switch.

The telnet access was used for development of the product and Alcatel forgot to remove it “due to an oversight,” the company said. Alcatel informed CERT of the back door when it was discovered during a code audit, the Paris network equipment maker said.

Users of vulnerable switches should immediately create an ACL (access control list) blocking all access to port 6778 on the switch, Alcatel said. A patch to close the back door is also available. Furthermore, the vulnerability will be removed from AOS as of version 5.1.3, Alcatel said. AOS ships with each OmniSwitch.

The scope of the vulnerability is limited because the OmniSwitch 7000 series is meant for use in enterprise networks, not in public networks, Alcatel spokesperson Klaus Wustrack said Friday. That means that companies could face attacks from the inside only and that public networks are not at risk.

“These switches are normally used within a private enterprise network. They are not public switching products. Any enterprise should protect their private network through a firewall,” Wustrack said.

The CERT/CC advisory on this issue can be found at: www.cert.org/advisories/CA-2002-32.html.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now