Vulnerability of buffer overflow on HTTP service
Allied Telesis K.K.
Release 2014.11.11
Updated 2015.01.22
Japanese Page (日本語ページ) >
Alliedware products listed below have HTTP vulnerability.
1) Summary
Optional code is executed on the product when malicious HTTP request packet is received.
2) Affected Products
Following products which are installed firmware version before 2.9.1-20.
2-1) Products sold on rest of world
Router
- AR440S
- AR441S
- AR442S
- AR745 (End of Sale)
- AR750S
- AR750S-DP
Switch
- AT-8624T/2M (End of Sale)
- AT-8648T/2SP (End of Sale)
- AT-8624POE (End of Sale)
- AT-8848 (End of Sale)
- AT-9924T (End of Sale)
- Rapier 48i (End of Sale)
2-2) Products sold on Rest of world and Japan.
Router
- CentreCOM AR415S
- CentreCOM AR450S (End of Support)
Switch
- CentreCOM 8700XL Series (End of Support)
- CentreCOM 9812T Series (End of Support)
- CentreCOM 9816GB Series (End of Support)
- CentreCOM 9924Ts Series (End of Support)
- CentreCOM 9924T/4SP Series (End of Support)
- CentreCOM 9924SP (End of Support)
- SwitchBlade4000
2-3) Products sold on Japan.
Router
- CentreCOM AR300 v2 (End of Support)
- CentreCOM AR300L v2 (End of Support)
- CentreCOM AR320 (End of Support)
- CentreCOM AR410(S) v2 (End of Support)
- CentreCOM AR720(S) (End of Support)
- CentreCOM AR740(S) (End of Support)
- CentreCOM AR550S
- CentreCOM AR560S
- CentreCOM AR570S
Switch
- CentreCOM 8700SL Series (End of Sale)
- CentreCOM 8724SLv2
- CentreCOM 8948XL Series (End of Sale)
3) Impact
Alliedware products have possibility of attacked by using this vulnerability
because HTTP service works on default setting on that products.
4) Workarounds
You can avoid this vulnerability by using below.
4-1) Update
This issue has fixed in version after 2.9.1-21.
(Some of products that are end of support aren't released above version.)
4-2) Disabling HTTP service
HTTP service can be disabled by executing following command.
"DISABLE HTTP SERVER"
4-3) Blocking HTTP access
HTTP access can be blocked by packet filter feature or firewall feature.
|