Loader

CVE-1999-508, CVE-1999-0502, CVE02015-7755

Vulnerability Statement for CVE-2019-508, CVE-1999-0502, CVE-02015-7755

This document addresses detections by the Qualsys scanner of the following CVEs, CVE-2019-508, CVE-1999-0502, CVE-02015-7755.  Due to the authorization mechanism used by the OLT these CVEs are false positives for Tellabs OLTs.  This statement will address why this occurs and how to validate whether a brute force attack has actually been successful. 

Applies To

  • This statement applies to all versions of the OLT1134, OLT6, OLT1, OLT2, and OIU2 cards.

CVE Short Description

One or more valid SSH user logins have been found through bruteforcing. An account on a router, firewall, or other network device has a default, null, blank, or missing password. (CVE-1999-0508)

A Unix account has a default, null, blank, or missing password.(CVE-1999-0502) Juniper ScreenOS 6.3.0r17 through 6.3.0r20 allows remote attackers to obtain administrative access by entering an unspecified password during a (1)SSH or (2) TELNET session. (CVE-2015-7755)

QID flags if the SSH layer on the target accepts authentication with a particular username/password combination. Note that this does not imply that a particular access level exists on the target for that user, that the username/password exists in any table on the target, or that there is shell access or anything else of that kind for that user.

This is vulnerable because SSH bruteforcing can only address the authentication layer of SSH. After authentication additional SSH protocol layers can be accessed in different forms, but we have no way of enumerating and testing all those channel and request types, especially not vendor-specific ones. The SSH protocol is designed to perform authentication at the authentication layer, and not inside some channel later.

Any SSH server that violates that design principle by allowing SSH-level authentication with guessable credentials should be considered vulnerable, regardless of what channels or requests are observable from the outside.

Seeing the QID reported simply means that the SSH layer did not reject the provided username/password, and instead advanced the SSH connections to the point where "sessions" could be established.

Description

These CVEs all describe exploits where a brute force attack was able to determine the username and password of a user, often by testing well known existing passwords or ones that are specified in the exploits noted in the CVEs.

This brute force set of tests determines the system is vulnerable by submitting sets of usernames and passwords and seeing if a connection is made.

The Tellabs shell that is utilized on all the Tellabs OLTs specified above works differently than most standard shells and connects first, then collects credentials, and then makes an authorization decision.  The credentials entered in the normal ssh dialog at startup are ignored and credentials are collect directly from the user after connection.  This gives the appearance of the exploit has occurred and it is indeterminate at that point as to whether the connection will succeed or fail.

This causes most brute force scanners to detect a false positive when used against Tellabs OLTs.

Determining Whether a Brute Force Attack Has Succeeded

The Tellabs OLTs log all accesses to the product via the EMS security log, and via Syslog.  These outputs can be used to validate whether a brute force attack or scan has succeeded or failed.

To get to the Security Log in the Panorama EMS:

Select OLT in common tree -> Select Event View -> Select Security Events Tab within the Events View.

If a brute force attack was successful, there will be an event in the Security event log that a user was granted access to the system.  Tellabs is not aware of any method to log into the system that doesn’t get sent to event logs and syslog. 

The steps to verify whether a brute force scan is successful is as follows:

  • Note the state of the current security log(or syslog) and the last logged event.
  • Perform the brute force scan.
  • Look in the security log (or syslog) for a successful login event.
  • Ignore all failed logins or lockouts that might be caused by the brute force scan
  • Observe that there are no successful logins in the Security Event Log. 

If a brute force attack was successful it would show up as Login Successful on the security event log.

If the brute force finding is a false positive, you will not find a Login Successful message.

Please note this is what is displayed on every successful login.

Please note that is also possible that users have a weak or common password if the brute force attack is successful.  If the user is one that is a valid username then this is evidence of a poorly chosen Password and likely needs to be immediately changed for a more complex password.

Failed logins are normal during a brute force scan an appear like this in the security event log.

Repeated occurrences of the messages above under normal circumstances would indicate a likely attack and should be addressed promptly.

Tellabs Recommended Mitigations if a Brute Force is Detected

Tellabs recommends upgrading to the latest release as soon as possible as this will add any recent security fixes and protect the OLT from attacks.

Tellabs equipment supports a trusted host feature that prevents connections from any IP address other than those that are specified in the trusted host list.

The Trusted Host Menu can be reached by going to the common tree: Click the OLT-> Right Click->Properties->Security Tab

The EMS Gateway IP,  the Default Gateway IP and any individual machines you want to allow access to/from for SSH. This will prevent any other addresses from reaching the OLT and will block all protocols for any IP not in the list.  You should also place the scanner in this list so that it can scan the OLT.  If the scanner IP is not in the trusted host list, then there will not be any scan results obtained as the OLT will not respond to any requests from the scanner.

Using trusted host on the OLT and is a good practice for all installations.  All packets from IP addresses not in the Trusted Host list will be dropped.

CVE Summary

Tellabs is not aware of any successful brute force attacks at this time and the process noted above can be utilized to validate whether a scanner detected brute force attack being successful is accurate or not.  Tellabs recommends the Trusted Host mitigation for this and many other attacks.

For further support, please contact the Tellabs 24/7 Technical Assistance Center (TAC).

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image