J-Security Center

Title: Allegro RomPager Malformed URL Request DoS Vulnerability

Severity: MODERATE

Description:

Allegro's RomPager is an embedded webserver product, most often used to provide web administration capabilities for networked printers, network switches, and other devices.

Allegro's RomPager is reported prone to a remote denial of service vulnerability. If a specifically malformed request is sent to it, it will crash, often crashing the parent device as well. In this manner, network hardware and possibly entire networks can be rendered unusable by any remote attacker using only a browser.

In some cases, such as products made by Extreme Networks, the devices will identify themselves as 2.10 but will not exhibit the problem, since some vendors chose to integrate only certain portions of the 2.20 update such as the bug fix.

The following is a partial list of vendors and products, which are known to use the Allegro RomPager:

3Com:
TotalSwitch LAN switching hubs
LANLinker Dual Analog Router

Acacia Networks:
NovaSwitch Ethernet switches.

APC:
UPS products with web management

Andover Controls Corporation:
Infinity automated building controls

Bizfon:
Bizfon 680 Multifunction communications server

D-Link Systems:
DES-3225G 24-port 10/100Mbps Ethernet switch.
DES-3224+

EdgePoint Networks:
EdgeStar
EdgeStack
EdgeSwitch

Extreme Networks:
Summit Gigabit Switch

Foundry Networks:
BigIron Switching Routers,
FastIron Switches
NetIron Core Routers.
(possibly entire product line)

Interspeed:
System 1000 and 500 Central Office ADSL routers

LANart Corporation:
Segway Adaptive Microsegmentable Ethernet Hub

Netopia Communications:
Netopia ISDN router products

NETsilicon, Inc.:
NET+ARM product family

Net To Net Technologies:
IP DSL Access Multiplexer 12000

Network Peripherals:
NuSwitch Ethernet switches and hubs

Northern Telecom:
Accelar Gigabit Ethernet

Osicom:
NETPrint 1000 print server
various Ethernet switch products

Proxim:
RangeLAN2

QMS:
various networked printers

Xerox:
DocuPrint laser printers

**Update: Many devices are still reported prone to this vulnerability.

Affected Products:

  • Allegro RomPager 2.10.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.