Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery
10 Jun. 2015
During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. The management web interface has no protection against cross-site request forgery attacks. This allows specially crafted web pages to change the switch configuration and create users, if an administrator accesses the website while being authenticated in the management web interface.
The information has been provided by RedTeam Pentesting GmbH. More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de
The management web interface of the OmniSwitch 6450 can be accessed using a web browser via HTTP. The web interface allows creating new user accounts, in this case an HTTP request like the following is sent to the
This request creates a user "attacker" with the password "secret". All other parameters are static. All POST parameters can be predicted by attackers. This means that requests of this form can be prepared by attackers and sent from any web page the user visits in the same browser. If the user is authenticated to the switch, a valid session cookie is included in the request automatically, and the action is performed.
In order to activate the new user for the web interface it is necessary to enable the respective access privileges in the user's profile. This can also be done via the web interface. Then the HTTP POST request looks like the
POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1
Disable the web interface by executing the following commands:
no ip service http
no ip service secure-http
ip service http admin-state disable
If this is not possible, use a dedicated browser or browser profile for managing the switch via the web interface.
Upgrade the firmware to a fixed version, according to the vendor the fixed versions will be available at the end of July 2015.
If attackers trick a logged-in administrator to visit an attacker-controlled web page, the attacker can perform actions and reconfigure the switch. In
this situation an attacker can create an additional user account on the switch for future access. While a successful attack results in full access
to the switch, the attack is hard to exploit because attackers need to know the IP address of the switch and get an administrative user to access an
attacker-controlled web page. The vulnerability is therefore rated as a medium risk.
2015-03-16 Vulnerability identified
2015-03-25 Customer approves disclosure to vendor
2015-03-26 CVE number requested
2015-03-31 CVE number assigned
2015-04-01 Vendor notified
2015-04-02 Vendor acknowledged receipt of advisories
2015-04-08 Requested status update from vendor, vendor is investigating
2015-04-29 Requested status update from vendor, vendor is still
2015-05-22 Requested status update from vendor
2015-05-27 Vendor is working on the issue
2015-06-05 Vendor notified customers
2015-06-08 Vendor provided details about affected versions
2015-06-10 Advisory released