Vulnerability Summary Vulnerability ID: VU#181721 Affected Product: Alcatel OmniSwitch 7700/7800 with AOS version 5.1.1 Release Date: 2002-11-20 Last Revised: 2002-11-21 Overview The OmniSwitch 7700/7800 running AOS 5.1.1 has a telnet server on TCP port 6778 that does not require a password, allowing unauthorized access to the Vx-Works operating system. Description A telnet server on port 6778 was left accessible without a password in the AOS 5.1.1 code. This port gives direct access to the underlying Vx-Works operating system. Impact An attacker can telnet to port 6778 and access the operating system without a password, compromising the entire system. Solution 1. Immediate: Block all access to TCP port 6778 using an ACL. 2. Short-term: Use updated AOS code (AOS 5.1.1.R02, AOS 5.1.1.R03) from Alcatel Customer Support which removes the backdoor. 3. Permanent: Use AOS 5.1.3 or later which has the vulnerability fixed in the general codebase. CVSS Metrics Base Score: Not specified in screenshot Temporal Score: Not specified in screenshot Environmental Score: Not specified in screenshot References http://www.alcatel.com/support http://www.ind.alcatel.com/nextgen/OmniSwitch_7000_brief.pdf http://www.ind.alcatel.com/specs/index.cfm?cnt=7000 Additional Information CVE ID: CVE-2002-1272 CERT Advisory: CA-2002-32 Severity Metric: 49.50