Bugtraq mailing list archives
Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login
From: Aaron Nichols <anichols () NETOPIA COM>
Date: Thu, 16 Nov 2000 11:37:20 -0800
-----BEGIN PGP SIGNED MESSAGE----- Andrew, This problem has been a known issue for some time and was resolved in Netopia firmware version 4.3.2 in May of 1999. The platform that you are referring to, the PN650-ST, has not been in production for over 2 years. The last version of firmware released for that product was version 3.3.2 which was released in January of 1999 and no subsequent updates have been provided. We make every effort to resolve any security issue promptly and if it is an issue with our current platform we will absolutely address it immediately and have in the past addressed issues which were brought to our attention expediently. I do apologize for the lack of response regarding your original inquiries and I assure you that we are making every effort to make sure that this does not happen again. Feel free to contact me if you have any further concerns. Thank you, Aaron On Thu, 16 Nov 2000, The Proton wrote:
This advisory was sent to Netopia three weeks ago. I have received no return contact. Andrew ---------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Device Specifics ================= Name: Netopia ISDN Router 650-ST Manufacturer: Netopia Version: Firmware 3.3.2 Risk: Viewing of all system logs without login Advisory: 2000-03 Problem ======= The system logs (both device history and WAN history) can be read from the telnet prompt without logging into the system. Details ======= The logs of the router can be viewed from the telnet login screen by pressing a certain key combination. To access the WAN event log type Ctrl-F at the login screen To access the device event log type Ctrl-E at the login screen Access to these logs may allow access to sensitive information such as usernames or passwords to an arbitary internet user. Fixes ===== None available. Workaround ========== Do not allow telnet access to your router to untrusted hosts. Acknowledgements =============== This vulnerability was discoverd by Bok <bok () dshs nsw edu au> Further investigation by Andrew Wellington (aka proton) Disclaimer ========== THIS INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ANDREW WELLINGTON DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ANDREW WELLINGTON BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, BUT NOT LIMITED TO, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ANDREW WELLINGTON HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. PGP Key ======= PGP key is available at keyserver.net Key ID: 0x77168373 Fingerprint: E8C3 789F 30C3 658E 1D90 56EB 0097 3EE3 7716 8373 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com> iQA/AwUBOf1XywCXPuN3FoNzEQLiMgCdFyrc4kxfld6EL0/bEHYJ0+fF6GgAoJl+ KZYtG//tuDj7avHoUtGNiVZ/ =jaBx -----END PGP SIGNATURE----- _______________________________ The Proton <proton () dshs nsw edu au> _______________________________
- -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Aaron Nichols Voice: 510-814-5000 Sr. Systems Engineer Web: http://www.netopia.com Internet Equipment Division Email: anichols () netopia com Netopia Inc. 2470 Mariner Square Loop Alameda, CA 94501 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQCVAwUBOhQ3dSAbedL6kyPTAQFmhwP/X832NNc27bTzR/njd5VkfRx5Q6sHgrZ8 iyyvI96QSztyhi6cd+L8IXQJQluQYZUyD1B+tTY85o/nggWG9G5kXYKNca8Y7kfs VR6BKiqXX6+P8WluudlZDBhIaFhQSDqp3yEql9BdYmcS5kRSBtl+4BsxpynPq3/F zdCq86W1xXk= =jcE/ -----END PGP SIGNATURE-----
Current thread:
- Netopia ISDN Router 650-ST: Viewing of all system logs without login The Proton (Nov 17)
- Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login Aaron Nichols (Nov 17)
- Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login //Stany (Nov 18)
- Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login Aaron Nichols (Nov 18)
- Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login //Stany (Nov 18)
- Re: Netopia ISDN Router 650-ST: Viewing of all system logs without login Aaron Nichols (Nov 17)