[10228] in bugtraq
FlowPoint ADSL Reported Problem
daemon@ATHENA.MIT.EDU (Philip Rakity)
Thu Apr 15 13:24:43 1999
Date: Wed, 14 Apr 1999 18:07:59 -0700
Reply-To: Philip Rakity <pmr@flowpoint.com>
From: Philip Rakity <pmr@FLOWPOINT.COM>
X-To: dbrumley@goju.stanford.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <01BE869B.D4D2F300.roger@flowpoint.com>
Recently there was a note in the bug list (below) indicating that
FlowPoint Routers do not set an administration password. This statement
is false, but the vulnerability of the router to folks not changing the
default router password is well known.
Our GUI asks the user to change the password.
Release 3.0.2 onwards requires the user to enter the password
to access any information via the console or telnet.
Access control to the router via telnet and snmp can be controlled via
access lists using the command
system addtelnetfilter <IP Addresses>
system addsnmpfilter <IP Addresses>
The SNMP Community name can be changed as well as the ports used to access
Telnet and SNMP. In addition, access to the router via SNMP and Telnet
can be turned off. The commands
system telnetport <Port No>
system snmpport <Port No>
A <Port No> of 0 stops access to the router.
In addition, an IP Filtering package similar to the Linux Firewall
capability is available as an option.
kind regards,
Philip Rakity
Vice President Product Development
FlowPoint Corporation
180 Knowles Drive
Suite 100
Los Gatos, CA 95030
USA
e-mail: pmr@flowpoint.com
phone: +1 (408) 364-8300
fax: +1 (408) 364-8301
>
> -----Original Message-----
> From: David Brumley [SMTP:dbrumley@GOJU.STANFORD.EDU]
> Sent: Tuesday, April 13, 1999 11:02 PM
> Subject: aDSL routers
>
> Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> admin password. It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
>
> Version tested:
> FlowPoint/2000 ADSL Router
> FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
>
> Cheers,
> -db
>
