It has been revealed that any network device running Alcatel Operating System (AOS) version 5.1.1 actually has a whopping back door in it. A telnet server was found running on certain switches and network devices. When this telnet server is accessed there is no request from the network device for authentication of any kind.
"An attacker can gain full access to any device running AOS version 5.1.1, which can result in, but is not limited to, unauthorized access, unauthorised monitoring, information leakage, or denial of service." CERT said in their advisory.
The telnet server was put there for testing purposes when the operating system was still being developed and it is unclear why it was not removed.
"Due to an oversight, this access was not removed prior to product release," CERT said.
A particularly damaging aspect of this vulnerability is the ease by which it is exploited. The test code was designed to allow engineers to easily access the device. No special software tools or superior knowledge of computer security or networks is required to successfully hack into a device running AOS.
Concerned administrators can upgrade to a newer version of AOS.
CERT has rated this back door as serious.
