[6762] in bugtraq
Re: Bay Networks Security Hole
daemon@ATHENA.MIT.EDU (Gert Doering)
Fri May 15 11:21:12 1998
Date: Thu, 14 May 1998 20:00:43 +0200
Reply-To: Gert Doering <gert@GREENIE.MUC.DE>
From: Gert Doering <gert@GREENIE.MUC.DE>
X-To: Kirby_Dolak@BAYNETWORKS.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3.0.32.19980514110553.006b6b8c@bl-mail1.corpeast.baynetworks.com> from Kirby Dolak at "May 14,
98 11:06:00 am"
Hi,
Kirby Dolak wrote:
> 2. Bay recommends that both accounts (User and Manager) have passwords
> assigned. Both have default/null passwords as they ship from the factory,
> just like a Unix system. The administrator should immediately take
> measures to secure the system, at initial system install, so that an
> unauthenticated user/manager doesn't have
> access to device management information, such as the community names and
> addresses via telnet/console.
I like the way Cisco approaches this issue.
Unless you set a login password, or enable some kind of "aaa authentication"
service, you CANNOT LOGIN AT ALL over network.
And if you are logged in to an unprivileged account, you cannot become
superuser unless you have already set the enable password from the console.
This is VERY good.
No need to "recommend" anything, it's just "secure out of the box". If
you neglect to configure the password, it just isn't accessible at all
(except from the physical console).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
