[8763] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [In]security in USR TotalSwitch

daemon@ATHENA.MIT.EDU (Adam Maloney)
Tue Dec 22 02:34:56 1998

Date: 	Mon, 21 Dec 1998 14:52:29 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Adam Maloney <adam@IEXPOSURE.COM>
To: BUGTRAQ@NETSPACE.ORG

Normally I would've bought a Cisco switch, or a different 3com switch, but
these guys were so cheap, i couldn't resist.

I recently upgraded to the newest version of the firmware, and the
vulnerability still exists.

The version I'm using is 2.2 released on 10/30/97  There is no mention of
any newer version in their totalsupport download area.

Where did you see the patch?  I can't find any mention of it.

Thanks,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                  Adam Maloney
            Systems  Administrator
                Internet  Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: Lou Anschuetz <lou@ZAPHOD.ECE.CMU.EDU>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Monday, December 21, 1998 2:35 PM
Subject: Re: [In]security in USR TotalSwitch


>> I searched the archives, with no luck finding anything about this.
>>
>> Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 /
100 /
>> fddi / whatever, and a network management card) units went up for
auction,
>> and I know a lot of people purchased them, hence my concern.
>>
>> The switch is managable via snmp, telnet or a console port.  Using the
>> management features, you can disable / enable certain ports, configure IP
>> routes and such.  The management software allows you to set a password to
>> access the switch (either by telnet or the console).
>>
>> Of course, there is a back-door so techs could reset or debug the unit if
>> they didn't have the password.  Unfortunately, this backdoor is not
limited
>> to the console port like it should be.  It is possible to telnet to the
>> switch, enter a "secret code" (which is readily available, for everyone's
>> sake I won't give it out here) and do a memory dump to see the plaintext
>> password.
>>
>> Solution:  3COM - limit this functionality to the console port ONLY.
>> End-user - add an access list to filter telnet to your switch's IP
address
>> from outside your network.
>>
>> P.S. If anyone knows where to get the 100btx cards for this thing, please
>> e-mail me!
>>
>> Reguards,
>>
>3COM did put out a patch for this, though it was rather quietly -
>it also effects all CoreBuilder switches. Fortunately, I only buy
>un-managed 3COM stuff. Everything that is a switch (or above) is
>Cisco.
>
>--
>-
>Lou Anschuetz, lou@ece.cmu.edu
>Network Manager, ECE, Carnegie Mellon University
>

home help back first fref pref prev next nref lref last post