XSS Vulnerability Found in Alcatel-Lucent Carrier-Grade Switches

A reflected cross-site scripting (XSS) vulnerability has been identified in the management interface of the Alcatel-Lucent 1830 Photonic Service Switch, but the vendor doesn’t plan on fixing it any time soon.

The 1830 Photonic Service Switch is part of the French global telecommunications equipment company’s offering for cable multiple-system operator (MSO) networks. 

 The flaw, which affects version 6.0 and earlier of the product, was discovered in May by the Computer Security Incident Response Team (CSIRT) of the Switzerland-based telecoms company Swisscom. The vulnerability has been assigned the CVE identifier CVE-2014-3809.

“The management interface of the 1830 Photonic Switch series is vulnerable to reflected cross-site scripting, since user input is not properly encoded on output. Exploiting this vulnerability will lead to so-called cross-site  scripting (XSS) and allows the impersonation of logged-in admin users. Additionally, the myurl-Parameter accepts non-local web addresses, which can be abused to redirect victims to arbitrary web sites,” Swisscom’s Stephan Rickauer explained in an advisory.

Alcatel-Lucent was informed of the security hole’s existence on June 13. The company’s security team confirmed the existence of the issue three days later.

After Swisscom researchers made several inquiries regarding a patch for the vulnerability, Alcatel-Lucent informed them today that it doesn’t consider this to be a high-priority issue. As a result, details and the attack vector have been disclosed by Swisscom.

“The vulnerability is assessed at no risk. We will evaluate if/when we will add the best practice of validating all inputs in WebUI tasks, but this is not considered high priority for the roadmap,” Alcatel-Lucent stated.

While this vulnerability might not be considered critical, Alcatel-Lucent is one of the many tech giants that have had to deal with the recently uncovered GNU Bash vulnerability known as ShellShock. In late September, shortly after the existence of the vulnerability came to light, the company informed customers that Bash is used in several products.

“We are currently investigating the impact on our portfolio and already taking actions to ensure the vulnerability has no further impact on products in our portfolio,” reads a message currently published on the page dedicated to the company’s Portfolio Security Issue Response Team (PSIRT).

Alcatel-Lucent advises researchers who identify vulnerabilities in the company’s products to complete a standard document available on the PSIRT page and send it via email to psirt.security@alcatel-lucent.com.