Vulnerability of buffer overflow on HTTP service
Allied Telesis K.K.
Release 2014年11月11日
Updated 2015年01月22日
Alliedware products listed below have HTTP vulnerability. 1) Summary Optional code is executed on the product when malicious HTTP request packet is received. 2) Affected Products Following products which are installed firmware version before 2.9.1-20. 2-1) Products sold on rest of world Router - AR440S - AR441S - AR442S - AR745 (End of Sale) - AR750S - AR750S-DP Switch - AT-8624T/2M (End of Sale) - AT-8648T/2SP (End of Sale) - AT-8624POE (End of Sale) - AT-8848 (End of Sale) - AT-9924T (End of Sale) - Rapier 48i (End of Sale) 2-2) Products sold on Rest of world and Japan. Router - CentreCOM AR415S - CentreCOM AR450S (End of Support) Switch - CentreCOM 8700XL Series (End of Support) - CentreCOM 9812T Series (End of Support) - CentreCOM 9816GB Series (End of Support) - CentreCOM 9924Ts Series (End of Support) - CentreCOM 9924T/4SP Series (End of Support) - CentreCOM 9924SP (End of Support) - SwitchBlade4000 2-3) Products sold on Japan. Router - CentreCOM AR300 v2 (End of Support) - CentreCOM AR300L v2 (End of Support) - CentreCOM AR320 (End of Support) - CentreCOM AR410(S) v2 (End of Support) - CentreCOM AR720(S) (End of Support) - CentreCOM AR740(S) (End of Support) - CentreCOM AR550S - CentreCOM AR560S - CentreCOM AR570S Switch - CentreCOM 8700SL Series (End of Sale) - CentreCOM 8724SLv2 - CentreCOM 8948XL Series (End of Sale) 3) Impact Alliedware products have possibility of attacked by using this vulnerability because HTTP service works on default setting on that products. 4) Workarounds You can avoid this vulnerability by using below. 4-1) Update This issue has fixed in version after 2.9.1-21. (Some of products that are end of support aren't released above version.) 4-2) Disabling HTTP service HTTP service can be disabled by executing following command. "DISABLE HTTP SERVER" 4-3) Blocking HTTP access HTTP access can be blocked by packet filter feature or firewall feature.