HTTP Vulnerability in Allied Telesis AR routers and alpolicware Switches

HTTP Vulnerability in Allied Telesis AR routers and alpolicware Switches

Release date:
Updated on:

Affected Systems:
Allied Telesyn AR Router AR750S-DP
Allied Telesyn AR Router AR750S
Allied Telesyn AR Router AR745
Allied Telesyn AR Router AR442S
Allied Telesyn AR Router AR441S
Allied Telesyn AR Router AR440S
Description:
CVE (CAN) ID: CVE-2014-7249

Allied Telesis is a network device and Telecommunications Company.

Multiple AR routers and alpolicware switches have an HTTP Vulnerability in implementation. Attackers can exploit this vulnerability to execute arbitrary code in the affected products through malicious HTTP request packets.

<* Source: vendor

Link: http://www.allied-telesis.co.jp/support/list/faq/vuls/20141111aen.html
*>

Suggestion:
Temporary solution:

If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:

* Run the "disable http server" command to DISABLE the HTTP service.

Vendor patch:

Allied Telesyn
--------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.allied-telesis.co.jp/support/list/faq/vuls/20141111aen.html
Http://jvndb.jvn.jp/jvndb/JVNDB-2014-000132
Http://jvn.jp/en/jp/JVN22440986/index.html

This article permanently updates the link address: