1. Overview The AT-9000/24 Ethernet switch's management can be accessed from any VLAN which has been configured to switch. Normally remote management (SNMP, telnet, http) should be only available from management VLAN and with AT-9000/24 this can't be chosen. Only option for the management VLAN is "Default VLAN" (ID 1). >From User's guide, page 200: --cut-- The remote management station must be a member of the switch.s Default VLAN. The switch responds and processes management packets only if they are received on an untagged port of the Default VLAN. --cut-- However when switch is configured to consist more VLANs than just the "Default VLAN" the management is also available for all of these VLANs. This means that the management of the switch is available for cracking attemps. The cracker only has to get the information in which subnet (ip-address) the switch management responds and of course the passwords to access the management. For example: a) SNMP agent has been enabled (not enabled by default) with the default community passwords in the AT-9000/24 switch. Port setting can be reset easily after this. Eg. mirror all the "development-VLAN" packets to a port in a "DMZ-vlan" which consists a compromised server. Packets can be captured for later analyzing. b) Default admin-account "manager" password is left to default one because admin trusts that the switch only handles the packets from the "Default VLAN". A unauthorized person marks the port which he communicating through to another VLAN as a tagged port. Now the unauthorized person has a access to another VLAN. 2. Affected Versions The current "AT-9000/24 Management System Version 1.1.0.06" and prior are affected. 3. Solution Software upgrade: Allied Telesis is working on to fix this bug. However the release date is unknown. Workaround: Unset ip-address for the switch and use only local management through serial cable. 4. Timeline The vulnerability was first discovered on 12th December 2006, and was reported to Allied Telesis support on the same day. The Allied Telesis development center has confirmed the bug on 14th December 2006. 5. References AT-S84 User's guide http://www.alliedtelesyn.com/datasheets/s84_ug_a_v11.pdf AT-9000/24 Homepage http://www.alliedtelesyn.com/products/details.aspx?604 -- Pasi Sjöholm