Undocumented Account Vulnerability in Avaya P550/P550R/P580/P880/P882 Switches
17 Oct. 2002
Summary
Two undocumented accounts with default passwords allow access via telnet and the web interface to Cajun P550R/P580/P880/P882 switches. Both accounts give developer access to the switch. The vulnerability can be avoided by upgrading to software version 5.3.0 or later and disabling the accounts.
Credit:
The information has been provided by Jacek Lipkowski.
The only documented password is for the root user. This user can't change the diag and manuf accounts.
The un-documented passwords are: user password
---- --------
diag danger
manuf xxyyzz
Both of these accounts give developer access to the switch (read-write access-type), which is more privileged than normal administrative access (admin access-type).
Recommendations:
As always it is good administrative practice to block access to administrative interfaces (telnet, web) at the firewall. Upgrading to software version 5.3.0 or later and disabling the accounts resolves this issue.
As a temporary workaround download the configuration file via TFTP, edit out these accounts, or change their password hashes, and upload it to the switch.
Vendor status:
AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved responsive and worked promptly on the problem. Jacek has agreed to release the information after the release of the official AVAYA advisory. The official Avaya advisory was out on 11 Oct 2002. The fixed software is available from the Avaya support site http://support.avaya.com.
