Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

XSS Vulnerability Found in Alcatel-Lucent Carrier-Grade Switches

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

The 1830 Photonic Service Switch is part of the French global telecommunications equipment company’s offering for cable multiple-system operator (MSO) networks. 

 The flaw, which affects version 6.0 and earlier of the product, was discovered in May by the Computer Security Incident Response Team (CSIRT) of the Switzerland-based telecoms company Swisscom. The vulnerability has been assigned the CVE identifier CVE-2014-3809.

Alcatel-Lucent 1830 Photonic Service Switch “The management interface of the 1830 Photonic Switch series is vulnerable to reflected cross-site scripting, since user input is not properly encoded on output. Exploiting this vulnerability will lead to so-called cross-site  scripting (XSS) and allows the impersonation of logged-in admin users. Additionally, the myurl-Parameter accepts non-local web addresses, which can be abused to redirect victims to arbitrary web sites,” Swisscom’s Stephan Rickauer explained in an advisory.

Alcatel-Lucent was informed of the security hole’s existence on June 13. The company’s security team confirmed the existence of the issue three days later.

After Swisscom researchers made several inquiries regarding a patch for the vulnerability, Alcatel-Lucent informed them today that it doesn’t consider this to be a high-priority issue. As a result, details and the attack vector have been disclosed by Swisscom.

“The vulnerability is assessed at no risk. We will evaluate if/when we will add the best practice of validating all inputs in WebUI tasks, but this is not considered high priority for the roadmap,” Alcatel-Lucent stated.

While this vulnerability might not be considered critical, Alcatel-Lucent is one of the many tech giants that have had to deal with the recently uncovered GNU Bash vulnerability known as ShellShock. In late September, shortly after the existence of the vulnerability came to light, the company informed customers that Bash is used in several products.

“We are currently investigating the impact on our portfolio and already taking actions to ensure the vulnerability has no further impact on products in our portfolio,” reads a message currently published on the page dedicated to the company’s Portfolio Security Issue Response Team (PSIRT).

Advertisement. Scroll to continue reading.

Alcatel-Lucent advises researchers who identify vulnerabilities in the company’s products to complete a standard document available on the PSIRT page and send it via email to [email protected].

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.