[8754] in bugtraq
Re: [In]security in USR TotalSwitch
daemon@ATHENA.MIT.EDU (Lou Anschuetz)
Mon Dec 21 15:35:52 1998
Date: Mon, 21 Dec 1998 09:39:22 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Lou Anschuetz <lou@ZAPHOD.ECE.CMU.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <00dd01be2871$1f6830d0$091962d1@kilroy.ns.intexp.com> from Adam
Maloney at "Dec 15, 1998 3:23:13 pm"
> I searched the archives, with no luck finding anything about this.
>
> Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 / 100 /
> fddi / whatever, and a network management card) units went up for auction,
> and I know a lot of people purchased them, hence my concern.
>
> The switch is managable via snmp, telnet or a console port. Using the
> management features, you can disable / enable certain ports, configure IP
> routes and such. The management software allows you to set a password to
> access the switch (either by telnet or the console).
>
> Of course, there is a back-door so techs could reset or debug the unit if
> they didn't have the password. Unfortunately, this backdoor is not limited
> to the console port like it should be. It is possible to telnet to the
> switch, enter a "secret code" (which is readily available, for everyone's
> sake I won't give it out here) and do a memory dump to see the plaintext
> password.
>
> Solution: 3COM - limit this functionality to the console port ONLY.
> End-user - add an access list to filter telnet to your switch's IP address
> from outside your network.
>
> P.S. If anyone knows where to get the 100btx cards for this thing, please
> e-mail me!
>
> Reguards,
>
3COM did put out a patch for this, though it was rather quietly -
it also effects all CoreBuilder switches. Fortunately, I only buy
un-managed 3COM stuff. Everything that is a switch (or above) is
Cisco.
--
-
Lou Anschuetz, lou@ece.cmu.edu
Network Manager, ECE, Carnegie Mellon University