Summary

A vulnerability has been identified in a third-party package used by Allied Telesis AR series devices running AlliedWare Plus that provides HTTP and HTTPS access to the firewall GUI.

This vulnerability makes it possible to bypass user authentication and gain unauthorized access to an AR series device running AlliedWare Plus.

Version: C613-14016-00 REV C. This statement will be updated as new information becomes available.

  1. Target Products AR series devices that run the AlliedWare Plus OS software version 5.4.5 or later.
    1. Affected AR4050S, AR3050S, AR2050V, AR2010V
    2. Not affected Vista Manager EX and its plug-ins are not vulnerable.Allied Telesis switches running AlliedWare Plus are not vulnerable. Rev A of this statement indicated that all current and legacy products running the AlliedWare Plus operating system were vulnerable. Further investigation has found that this is not the case. Allied Telesis switches running AlliedWare Plus are not vulnerable
  2. Impact AR series devices that run AlliedWare Plus face the possibility of unauthorized access.
  3. Firmware Upgrades that resolve this issue
    1. Firmware update 5.4.7-2.6 resolves this issue and is available on our Software Downloads page.
    2. Firmware updates for other vulnerable AlliedWare Plus software versions will be available soon on our Software Downloads page.
  4. Workarounds You can avoid this vulnerability with the following workarounds:  
    1. Use firewall rules to ensure that the AR series devices can only be managed from trusted IP addresses. However, this does not prevent access by an unauthorized person with physical access to a device with a trusted IP address.
    2. Alternatively, disable HTTP and HTTPS access to the AR series devices, by using the following commands:
      	awplus>enable
      	awplus#configure terminal
      	awplus(config)#no service http
      Note that this prevents Vista Manager EX and the firewall GUI from controlling those devices.
  5. Further information cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8715
Forward-Looking Statements

Matters discussed here may constitute forward-looking statements. The Private Securities Litigation Reform Act of 1995 provides safe harbor protections for forward-looking statements in order to encourage companies to provide prospective information about their business. Forward-looking statements include statements concerning plans, objectives, goals, strategies, future events or performance, and underlying assumptions and other statements, which are other than statements of historical facts. The Company desires to take advantage of the safe harbor provisions of the Private Securities Litigation Reform Act of 1995 and is including this cautionary statement in connection with this safe harbor legislation. The words “believe,” “anticipate,” “intends,” “estimate,” “forecast,” “project,” “plan,” “potential,” “may,” “should,” “expect,” “pending” and similar expressions identify forward-looking statements. The forward-looking statements in this press release are based upon various assumptions, many of which are based, in turn, upon further assumptions, including without limitation, our management's examination of historical operating trends, data contained in our records and other data available from third parties. Although we believe that these assumptions were reasonable when made, because these assumptions are inherently subject to significant uncertainties and contingencies which are difficult or impossible to predict and are beyond our control, we cannot assure you that we will achieve or accomplish these expectations, beliefs or projections.

Warranty and Limitation of Liability

THE INFORMATION AND/OR MATERIALS CONTAINED HEREIN ARE PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Allied Telesis, Inc. shall not be liable for direct, indirect, special, incidental, or consequential damages related to your decision to use any of the information and/or materials listed and/or posted in this press release, even if Allied Telesis, Inc. is advised of the possibility of such damage.

Trademarks Statement

Other companies and products mentioned herein may be trademarks or registered trademarks of their respective trademark owners.