SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#760432

Cisco Transaction Language 1 (TL1) interface fails to properly validate accounts with blank passwords

Overview

There is a vulnerability in the Cisco Transaction Language 1 (TL1) login interface that could allow a remote attacker to gain access to a Cisco ONS device.

I. Description

Transaction Language 1 (TL1) is a widely used telecommunications management protocol. A default account, CISCO15, contains a blank password, which is to be changed during the install process. There is a vulnerability in the way the TL1 login interface processes long passwords that could permit an attacker to access the Cisco ONS device for accounts that have a blank password. A remote attacker could successfully authenticate to such an account using any password longer than ten characters. The CISCO15 account has super-user privileges.

Note: This issues does not affect the CTC login interface.

Vulnerable:

    Cisco ONS 15327 Edge Optical Transport Platform releases:
  • 4.6(0) and 4.6(1)
    Cisco ONS 15454 Optical Transport Platform releases:
  • 4.6(0) and 4.6(1)
    Cisco ONS 15454 SDH Multiplexer Platform releases:
  • 4.6(0) and 4.6(1)

Not Vulnerable:
    Cisco ONS 15600 Multiservice Switching Platform

II. Impact

A remote attacker could gain access to an account with a blank password set.

III. Solution

Upgrade

Please refer to the "Software Versions and Fixes" section of the Cisco Advisory for more information on upgrading.

Systems Affected

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Vulnerable27-Jul-2004

References


http://www.cisco.com/warp/public/707/cisco-sa-20040721-ons.shtml
http://www.cisco.com/en/US/products/hw/optical/
http://www.tl1.com/library/TL1/TL1_Protocol/
http://www.cisco.com/en/US/products/hw/optical/ps2006/products_installation_and_configuration_guide_chapter09186a00800917bc.html
http://secunia.com/advisories/12117/
http://www.securitytracker.com/alerts/2004/Jul/1010748.html

Credit

This vulnerability was reported by the Cisco Systems Product Security Incident Response Team (PSIRT).

This document was written by Damon Morda based on information provided by Cisco.

Other Information

Date Public:2004-07-21
Date First Published:2004-07-27
Date Last Updated:2004-08-05
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:7.09
Document Revision:21

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader