[17852] in bugtraq
Re: Nokia firewalls
daemon@ATHENA.MIT.EDU (Jason Costomiris)
Thu Nov 30 15:10:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20001129154643.A28404@jasons.org>
Date: Wed, 29 Nov 2000 15:46:43 -0500
Reply-To: Jason Costomiris <jcostom@JASONS.ORG>
From: Jason Costomiris <jcostom@JASONS.ORG>
X-To: K2 <ktwo@KTWO.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A22E2DC.F8EF5AA3@ktwo.ca>; from ktwo@KTWO.CA on Mon, Nov 27,
2000 at 02:40:28PM -0800
On Mon, Nov 27, 2000 at 02:40:28PM -0800, K2 wrote:
: PS. The only contact I have for Nokia is
: info.ipnetworking_americas@nokia.com, I don't believe that this mailbox
: would have given this information proper handling, my hope is that
: somebody @ Nokia will either be on this list or somebody will know
: actually how to contact this vendor. And as I allready stated, this is
: a pretty low-priorty vulnerability, requireing an authenticated user.
: However, if they had a ssl site or did not have clear text TELNET
: authentication by default it would make me feel much better.
Just a couple of points...
I, unlike another poster from Nokia do happen to work in the Nokia IP
Security Division. My posting is in no way official Nokia policy, and
isn't an official company statement...
I agree with your point about this being a low-priority vulnerability. In
order to exploit this, the attacker must already be authenticated. As for
your point about telnet, that is no longer the only option. Some units that
shipped with IPSO 3.2.1 have F-Secure's SSH pre-loaded. For users of 3.1
or later that do not have it, there are a couple of resolutions in the
Knowledge Base about world-wide availability of SSH for the IPSO platform.
As far as SSL support for Voyager goes, that should be in IPSO 3.3. IPSO
3.3 should be shipping shortly.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
