1. Overview

The AT-9000/24 Ethernet switch's management can be accessed 
from any VLAN which has been configured to switch.

Normally remote management (SNMP, telnet, http) should be 
only available from management VLAN and with AT-9000/24 
this can't be chosen. Only option for the management 
VLAN is "Default VLAN" (ID 1).

>From User's guide, page 200:
--cut--
The remote management station must be a member of the switch.s
Default VLAN. The switch responds and processes management
packets only if they are received on an untagged port of the Default
VLAN.
--cut--

However when switch is configured to consist more VLANs than
just the "Default VLAN" the management is also available for
all of these VLANs.

This means that the management of the switch is available 
for cracking attemps. The cracker only has to get the
information in which subnet (ip-address) the switch
management responds and of course the passwords to
access the management.

For example:

a) SNMP agent has been enabled (not enabled by default) 
with the default community passwords in the AT-9000/24 switch. 
Port setting can be reset easily after this. 
Eg. mirror all the "development-VLAN" packets to a port 
in a "DMZ-vlan" which consists a compromised server. 
Packets can be captured for later analyzing.

b) Default admin-account "manager" password is left to default
one because admin trusts that the switch only handles the
packets from the "Default VLAN". A unauthorized person
marks the port which he communicating through to another
VLAN as a tagged port. Now the unauthorized person has a
access to another VLAN.

2. Affected Versions

The current "AT-9000/24 Management System Version 1.1.0.06" and prior
are affected.

3. Solution

Software upgrade:
Allied Telesis is working on to fix this bug. However the release
date is unknown.

Workaround:
Unset ip-address for the switch and use only local management through
serial cable.

4. Timeline

The vulnerability was first discovered on 12th December 2006, and was
reported to Allied Telesis support on the same day. 

The Allied Telesis development center has confirmed the bug on
14th December 2006.

5. References

AT-S84 User's guide
http://www.alliedtelesyn.com/datasheets/s84_ug_a_v11.pdf

AT-9000/24 Homepage
http://www.alliedtelesyn.com/products/details.aspx?604

-- 
Pasi Sjöholm