Re: FlowPoint ADSL Reported Problem

[pmr () flowpoint com (Philip Rakity)]

David,

Let me start by saying that I only saw the note at the end of my e-mail.

Snip--
It contained the statement > > > > > > Welp, aDSL is here.  And at least
one manufacturer, flowpoint, sets no > > > admin password.  It's in the
documentation, so I assume the
End Snip--

There is a universal default password.  On this point we agree.  However,
there is a password; and my response was related to the statement "sets no
admin password".  Telnet and Console write access in the version of code
that you have requires that the password be entered.  In release 3.0.2
onwards, Telnet and Console Read and Write access require the password be
entered.  If the password is well known and NOT changed by the user there
is a security problem and on this point we agree.

In addition, we document, in our Quick Start book, that the user should
change the password as it is a security violation.

I also agree that we can do better and will look at your suggestions.

kind regards,

Philip Rakity

Vice President Product Development
FlowPoint Corporation
180 Knowles Drive
Suite 100
Los Gatos, CA 95030
USA

e-mail:    pmr () flowpoint com
 phone:    +1 (408) 364-8300
   fax:    +1 (408) 364-8301

On Wed, 14 Apr 1999, David Brumley wrote:

> > Recently there was a note in the bug list (below) indicating that
> > FlowPoint Routers do not set an administration password.  This statement
> > is false, but the vulnerability of the router to folks not changing the
> > default router password is well known.
>
> What's false about the statement?  Is there or is there not either
> a. a universal password (say, admin) as some reported
> b. no password at all
> and full telnet access open by default?
>
> > Our GUI asks the user to change the password.
>
> And suppose your GUI isn't supported on my OS?
>
> > Release 3.0.2 onwards requires the user to enter the password
> > to access any information via the console or telnet.
>
> [--snip--]
> Okay, here starts the recommendation for *admins*.  This is exactly what I
> was pointing out.  Thanks for giving examples.
>
> However, it has nothing to do with your product doing something bad in the
> first place.  Out of the box I can control your router.
>
> Why don't you disable SNMP and telnet when a password isn't set like some
> router companies?  Or perhaps have the default password unique to each
> machine...say the serial number and turn off SNMP completely?  This would
> limit the threat to those with physical access, and considering where most
> aDSL's are found, i don't think it'd be a big problem.  Half a dozen other
> possible solutions spring to mind.  Offline I'd be happy to discuss them
> with you.
>
> Incident response teams all over have noted that users with cable modems
> have been targeted by some nefarious individuals.  As aDSL moves into this
> market, naturally the kiddies will want to take advantage of it.  This is
> the number one reason you, me, and every  other aDSL user should be
> concerned.
>
> Cheers,
> -db
>
> > > -----Original Message-----
> > > From:     David Brumley [SMTP:dbrumley () GOJU STANFORD EDU]
> > > Sent:     Tuesday, April 13, 1999 11:02 PM
> > > Subject:  aDSL routers
> > >
> > > Welp, aDSL is here.  And at least one manufacturer, flowpoint, sets no
> > > admin password.  It's in the documentation, so I assume the
> > > company already knows about this vulnerability:) System managers
> > > who have aDSL access often overlook this, so I thought I'd point it out.
> > > A quick fix: disable telnet access to all of your aDSL router IP's.
> > > Better fix: set an admin password.
> > >
> > > Version tested:
> > > FlowPoint/2000 ADSL Router
> > > FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> > > Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
> > >
> > > Cheers,
> > > -db