exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

Alcatel-Lucent OmniSwitch Web Interface Weak Session ID
Posted Jun 10, 2015
Site redteam-pentesting.de

During a penetration test, RedTeam Pentesting discovered a vulnerability in the management web interface of an Alcatel-Lucent OmniSwitch 6450. This interface uses easily guessable session IDs, which allows attackers to authenticate as a currently logged-in user and perform administrative tasks.

tags | exploit, web
advisories | CVE-2015-2804
SHA-256 | 81e6be2bf4112b23f31a9a4eb65f9147c563e93f5117e6190c5f3a95354f3823

Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

Change Mirror Download
Advisory: Alcatel-Lucent OmniSwitch Web Interface Weak Session ID

During a penetration test, RedTeam Pentesting discovered a vulnerability
in the management web interface of an Alcatel-Lucent OmniSwitch 6450.
This interface uses easily guessable session IDs, which allows attackers
to authenticate as a currently logged-in user and perform administrative
tasks.


Details
=======

Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855
Affected Versions:
AOS 6.4.5.R02
AOS 6.4.6.R01
AOS 6.6.4.R01
AOS 6.6.5.R02
Fixed Versions:
AOS 6.6.5.80.R02
AOS 6.6.4.309.R01
Vulnerability Type: Session Management - low identifier entropy
Security Risk: high
Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-003
Advisory Status: published
CVE: CVE-2015-2804
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2804


Introduction
============

"The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable LAN
Switches are the latest value stackable switches in the OmniSwitch family of
products. The OmniSwitch 6450 was specifically built for versatility offering
optional upgrade paths for 10 Gigabit stacking, 10 Gigabit Ethernet uplinks,
from Fast to Gigabit user ports (L models) and Metro Ethernet services."

(from the vendor's homepage)


More Details
============

The management web interface of the OmniSwitch 6450 can be accessed using a web
browser via HTTP. A switch with the example IP 192.0.2.1 is accessible via
the following URL:

http://192.0.2.1/

A client is then redirected to the following URL:

http://192.0.2.1/web/content/index.html

For unauthenticated users the URL displays a login form and sets a session
cookie with a session ID. A request to the URL with the command line HTTP
client cURL shows the Set-Cookie header:

$ curl -I http://192.0.2.1/web/content/index.html
HTTP/1.1 200 OK
Date: Tue, 17 Mar 2015 08:25:42 GMT
Server: Agranat-EmWeb/R5_2_4
[...]
Set-Cookie: session=sess_11012;PATH=/

The session cookie has the name "session" and its value begins with the
string "sess_". By repeatedly requesting the URL with cURL it became obvious
that the suffix is always a number between 1 and 32,000. This suggests that
there are only about 32,000 possible session IDs, resulting in only 15 bits
of entropy. Our tests showed that it was possible to get a throughput of about
50 HTTP requests per second, this means that in order to try every possible
session ID an attacker will need at most 11 minutes. On average, the time it
takes to find a valid session ID for an active user is even lower.


Proof of Concept
================

For an attacker it is very easy to distinguish between a valid and an invalid
session ID by looking at the HTTP response size. During our tests, requesting
an invalid session ID always returned the login form, which was 3027 bytes
in length. With a valid session ID, the management web interface is
returned by the webserver and the response is larger.

A number of requests in the range of the possible session cookies can be easily
executed using wfuzz [0]:

------------------------------------------------------------------------
./wfuzz.py -z range,1-32000 --hl 3027 -H "Cookie: session=sess_FUZZ" http://192.0.2.1/web/content/index.html
------------------------------------------------------------------------


Workaround
==========

Administrators should avoid using the management web interface and use the
serial console or administrate the switch over SSH instead. The web interface
can be disabled by executing the following commands:

no ip service http
no ip service secure-http

If the web interface is needed, it must be ensured that only authorised persons
are able to even connect to the web server. In addition, the HTTP session
timeout can be lowered to one minute with the following command:

session timeout http 1


Fix
===

Upgrade the firmware to a fixed version.


Security Risk
=============

The vulnerability poses a high risk. An attacker can easily authenticate to a
switch with the privileges of another user who is currently logged in. The
attack is simple and fast. The only precondition is that a user is already
using the switch during the attack. Attackers might actively trick
administrators into logging in by social engineering.


Timeline
========

2015-03-16 Vulnerability identified
2015-03-25 Customer approves disclosure to vendor
2015-03-26 CVE number requested
2015-03-31 CVE number assigned
2015-04-01 Vendor notified
2015-04-02 Vendor acknowledged receipt of advisories
2015-04-08 Requested status update from vendor, vendor is investigating
2015-04-29 Requested status update from vendor, vendor is still investigating
2015-05-22 Requested status update from vendor
2015-05-27 Vendor is working on the issue
2015-06-05 Vendor notified customers
2015-06-08 Vendor provided details about affected versions
2015-06-10 Advisory released


References
==========

[0] https://github.com/xmendez/wfuzz


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close