mailing list archives
Re: Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
From: Mike Scher <mscher () neohapsis com>
Date: Wed, 16 Oct 2002 18:20:36 -0500 (CDT)
In response to tbe below, we examined this issue on a Cajun P550 (not
550R) with software version 4.3.5.
1) The accounts (manuf and diag) are clearly present in the config and
easily seen with 'show running-conf' or 'show startup-conf'
2) They are system accounts and cannot be deleted
3) They have by default the passwords indicated by Mr. Lipkowski
4) They CAN have their passwords changed by the 'root user' and the
changes save sucessfully across reloads.
We'd ask that others verify (for other software/hardware combinations)
whether they can change the account passwords ( 'username manuf password
foo' ), and save them ( 'copy running-config startup-config' ), reload,
and check whether the passwords changes have saved.
As an aside:
While testing, we noticed that accounts with the same password show the
same saved hash, indicating that only one salt is in use. That may be a
legacy item on the P550, which is discontinued and stuck at 4.3.5 version
We'd ask others to check whether this (minor, but nevertheless real) issue
is present in newer revisions as well.
Michael Scher | Director, Neohapsis Labs
mscher () neohapsis com | General Counsel
On Tue, 15 Oct 2002, Jacek Lipkowski wrote:
Undocumented account vulnerability in Avaya P550R/P580/P880/P882 switches
1. Problem Description
Two undocummented accounts with default passwords allow access via telnet
and the web interface to Cajun P550R/P580/P880/P882 switches. Both
accounts give developer access to the switch. The vulnerability can be
avioded by upgrading to software version 5.3.0 or later and disabling the
2. Tested systems
The following versions were tested and found vulnerable:
Avaya Cajun P580 software version 5.2.14
All previous software versions are assumed to be vulnerable. This
problem is present in P550R,P580,P880 and P882.
The vulnerable firmware installs the following strings into the switch
configuration by default:
username "root" password encrypted-type1 "$tSfIcnbTP.pxRf7BrhGW31"
username "diag" password encrypted-type1 "$PQO.vGxkvDHkEDCJ2YsoD1"
username "manuf" password encrypted-type1 "$seHFLP9b16m2v/534WCk90"
The only documented password is for the root user. This user can't
change the diag and manuf accounts.
The un-documented passwords are:
Both of these accounts give developer access to the switch (read-write
access-type), which is more priviliged than normal administrative access
As always it is good administrative practice to block access to
administrative interfaces (telnet, web) at the firewall. Upgrading to
software version 5.3.0 or later and disabling the accounts resolves ths
As a temporary workaround download the configuration file via tftp, edit
out these accounts, or change their password hashes, and upload it to the
5. Vendor status
AVAYA was informed on 2 Oct 2002. The vendor responded the same day, proved
responsive and worked promptly on the problem. I have agreed to release the
information after the release of the official AVAYA advisory. The official
Avaya advisory was out on 11 Oct 2002. The fixed software is avaliable from the
Avaya support site http://support.avaya.com.
Official AVAYA security advisories are located at
Neither I nor my employer is responsible for the use or misuse of
information in this advisory. The opinions expressed are my own and not
of any company. Any use of the information is at the user's own risk.
Jacek Lipkowski sq5bpf () andra com pl
Andra Co. Ltd.
ul Wynalazek 6
02-677 Warsaw, Poland