HTTP and HTTPS Access Vulnerability
Summary
A vulnerability has been identified in a third-party package used by Allied Telesis AR series devices running AlliedWare Plus that provides HTTP and HTTPS access to the firewall GUI.
This vulnerability makes it possible to bypass user authentication and gain unauthorized access to an AR series device running AlliedWare Plus.
Version: C613-14016-00 REV D.
- Target Products AR series devices that run the AlliedWare Plus OS software version 5.4.5 or later.
- Affected AR4050S, AR3050S, AR2050V, AR2010V
- Not affected Vista Manager EX and its plug-ins are not vulnerable. Allied Telesis switches running AlliedWare Plus are not vulnerable.
- Impact AR series devices that run AlliedWare Plus face the possibility of unauthorized access.
- Firmware Upgrades that resolve this issue Version 5.4.7-2.6 and later resolve this issue.
- Further information cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8715