[8763] in bugtraq
Re: [In]security in USR TotalSwitch
daemon@ATHENA.MIT.EDU (Adam Maloney)
Tue Dec 22 02:34:56 1998
Date: Mon, 21 Dec 1998 14:52:29 -0600
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Adam Maloney <adam@IEXPOSURE.COM>
To: BUGTRAQ@NETSPACE.ORG
Normally I would've bought a Cisco switch, or a different 3com switch, but
these guys were so cheap, i couldn't resist.
I recently upgraded to the newest version of the firmware, and the
vulnerability still exists.
The version I'm using is 2.2 released on 10/30/97 There is no mention of
any newer version in their totalsupport download area.
Where did you see the patch? I can't find any mention of it.
Thanks,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Adam Maloney
Systems Administrator
Internet Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: Lou Anschuetz <lou@ZAPHOD.ECE.CMU.EDU>
To: BUGTRAQ@netspace.org <BUGTRAQ@netspace.org>
Date: Monday, December 21, 1998 2:35 PM
Subject: Re: [In]security in USR TotalSwitch
>> I searched the archives, with no luck finding anything about this.
>>
>> Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 /
100 /
>> fddi / whatever, and a network management card) units went up for
auction,
>> and I know a lot of people purchased them, hence my concern.
>>
>> The switch is managable via snmp, telnet or a console port. Using the
>> management features, you can disable / enable certain ports, configure IP
>> routes and such. The management software allows you to set a password to
>> access the switch (either by telnet or the console).
>>
>> Of course, there is a back-door so techs could reset or debug the unit if
>> they didn't have the password. Unfortunately, this backdoor is not
limited
>> to the console port like it should be. It is possible to telnet to the
>> switch, enter a "secret code" (which is readily available, for everyone's
>> sake I won't give it out here) and do a memory dump to see the plaintext
>> password.
>>
>> Solution: 3COM - limit this functionality to the console port ONLY.
>> End-user - add an access list to filter telnet to your switch's IP
address
>> from outside your network.
>>
>> P.S. If anyone knows where to get the 100btx cards for this thing, please
>> e-mail me!
>>
>> Reguards,
>>
>3COM did put out a patch for this, though it was rather quietly -
>it also effects all CoreBuilder switches. Fortunately, I only buy
>un-managed 3COM stuff. Everything that is a switch (or above) is
>Cisco.
>
>--
>-
>Lou Anschuetz, lou@ece.cmu.edu
>Network Manager, ECE, Carnegie Mellon University
>