|
Avaya Security Advisory: Unauthorized SNMP Access possible to P330, P130,
and M770-ATM Cajun family
Advisory Original Release Date: July 8, 2002
Last Revised: July 22, 2002
Advisory Version: 1.1
Advisory Status:
Final
Overview:
Avaya MSNI technical support has
recently confirmed a previously unconfirmed security issue that could permit
SNMP access to Avaya P330, P130 and M770-ATM Cajun family products within a LAN
system. This security issue is contained within the LAN environment and a
security problem is not likely to be exploited via Internet access within
appropriately designed secured network environments. The identified LAN based security issue is inherent in previously
released software versions of the Avaya P330, P130 and M770-ATM switch products
(“Effected Products”).
The security issue as a point of
network equipment attack is relatively obscure and there have been no reports
of intrusion resulting from this issue; however, Avaya recommends a fix for all
customers who are concerned about security risks for their networks.
Impact:
Exploitation of this security issue
enables unauthorized administrative access to the device. It is expected that
firewalls should generally prevent access at the network perimeter from
untrusted sources, particularly SNMP communication, thereby already minimizing
the potential impact.
Recommended Actions:
Upgrade the Effected Products with
the provided updates as appearing in the following table:
List of Avaya products affected:
|
Product
|
Version
|
Info/Status
|
|
P130
|
All
|
Fix is now available in release
2.9.2 at: Click Here.
|
|
P330 Ethernet Switches (including
P33xT, P333R, P333R-LB, and P33x-ML)
|
All
|
Fix is now available in release
3.11 at: Click Here
|
|
M770-ATM
|
All
|
Fix is now available in release
2.3.12 at: Click Here
|
|
M770 Supervisor (M-SPX, M-SPS)
|
All
|
Fix is now available in release
3.3.1 at: Click Here
|
Acknowledgement:
Avaya would like to thank Jacek Lipkowski <sq5bpf@andra.com.pl>
from ANDRA Co. Ltd. for
discovering this security issue and working with Avaya to resolve it, including
testing a fixed version.
Additional Information:
Additional information may be available via the Avaya support website (http://support.avaya.com)
and your Avaya account representative.
Disclaimer:
ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS
OFFERED "AS IS". AVAYA
INC. IS PROVIDING THE INFORMATION CONTAINED IN THIS ADVISORY AS A HELPFUL TOOL
TO CUSTOMERS. AVAYA INC. DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA INC.
MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE
ALL SECURITY THREATS TO THEIR SYSTEMS. IN NO EVENT SHALL AVAYA INC. BE LIABLE FOR ANY DAMAGES WHATSOEVER
ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR FIXES, INCLUDING DIRECT,
INDIRECT, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
AVAYA INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Revision History:
V 1.0 - July 8, 2002 - Initial
statement issued.
V 1.1 - July 22, 2002 - Corrected wording on P130 status, from version 2.3.9 to the correct software version 2.9.2; updated the four links in the status section to locations on support.avaya.com.
See http://support.avaya.com/security
for the latest status of this advisory.
Send information regarding any discovered security problems with Avaya
products to either the contact noted in the product’s documentation or securityalerts@avaya.com.
© 2002 Avaya Inc. All Rights
Reserved. | 
