[8711] in bugtraq
[In]security in USR TotalSwitch
daemon@ATHENA.MIT.EDU (Adam Maloney)
Wed Dec 16 13:04:59 1998
Date: Tue, 15 Dec 1998 15:23:13 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Adam Maloney <adam@IEXPOSURE.COM>
To: BUGTRAQ@NETSPACE.ORG
I searched the archives, with no luck finding anything about this.
Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 / 100 /
fddi / whatever, and a network management card) units went up for auction,
and I know a lot of people purchased them, hence my concern.
The switch is managable via snmp, telnet or a console port. Using the
management features, you can disable / enable certain ports, configure IP
routes and such. The management software allows you to set a password to
access the switch (either by telnet or the console).
Of course, there is a back-door so techs could reset or debug the unit if
they didn't have the password. Unfortunately, this backdoor is not limited
to the console port like it should be. It is possible to telnet to the
switch, enter a "secret code" (which is readily available, for everyone's
sake I won't give it out here) and do a memory dump to see the plaintext
password.
Solution: 3COM - limit this functionality to the console port ONLY.
End-user - add an access list to filter telnet to your switch's IP address
from outside your network.
P.S. If anyone knows where to get the 100btx cards for this thing, please
e-mail me!
Reguards,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Maloney
Systems Administrator
Internet Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
