Alcatel OmniSwitch 7700 and 7800 switches running the Alcatel Operating System (AOS) version 5.1.1 are affected, Alcatel said in a security advisory this week.
The Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie Mellon University in Pittsburgh issued a separate warning on Thursday.
In the vulnerable systems, a telnet server listens for connections on Transmission Control Protocol (TCP) port 6778 and accepts connections without requiring a password, creating a back door that provides full administrative control over the switch.
The telnet access was used for development of the product and Alcatel admitted its failure to remove it was "an oversight". Alcatel informed Cert of the back door when it was discovered during a code audit.
Users of vulnerable switches should immediately create an access control list (ACL) blocking all access to port 6778 on the switch, Alcatel said.
A patch to close the back door is also available. Furthermore, the vulnerability will be removed from AOS as of version 5.1.3, Alcatel said. AOS ships with each OmniSwitch.
The scope of the vulnerability is limited because the OmniSwitch 7000 series is meant for use in enterprise networks, not in public networks. That means that companies could face attacks from the inside only and that public networks are not at risk.
"These switches are normally used within a private enterprise network. They are not public switching products. Any enterprise should protect their private network through a firewall," said Alcatel spokesman Klaus Wustrack.