Bugtraq mailing list archives

Re: [In]security in USR TotalSwitch


From: lou () ZAPHOD ECE CMU EDU (Lou Anschuetz)
Date: Mon, 21 Dec 1998 09:39:22 -0500


I searched the archives, with no luck finding anything about this.

Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 / 100 /
fddi / whatever, and a network management card) units went up for auction,
and I know a lot of people purchased them, hence my concern.

The switch is managable via snmp, telnet or a console port.  Using the
management features, you can disable / enable certain ports, configure IP
routes and such.  The management software allows you to set a password to
access the switch (either by telnet or the console).

Of course, there is a back-door so techs could reset or debug the unit if
they didn't have the password.  Unfortunately, this backdoor is not limited
to the console port like it should be.  It is possible to telnet to the
switch, enter a "secret code" (which is readily available, for everyone's
sake I won't give it out here) and do a memory dump to see the plaintext
password.

Solution:  3COM - limit this functionality to the console port ONLY.
End-user - add an access list to filter telnet to your switch's IP address
from outside your network.

P.S. If anyone knows where to get the 100btx cards for this thing, please
e-mail me!

Reguards,

3COM did put out a patch for this, though it was rather quietly -
it also effects all CoreBuilder switches. Fortunately, I only buy
un-managed 3COM stuff. Everything that is a switch (or above) is
Cisco.

--
-
Lou Anschuetz, lou () ece cmu edu
Network Manager, ECE, Carnegie Mellon University



Current thread: