Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intel Corporation, Express 550F Switch unlimited password attempts

From: davids () WEBMASTER COM (David Schwartz)
Date: Sun, 19 Mar 2000 10:06:27 -0800


Knud,

AFAIK, all intel switches that have a layer 3 interface come with no
default username or password. Also, the snmp community strings are
public/private.

Sigh.


        Before you configure them, they have no IP adress and can only be remotely
managed immediately after startup by answering their BOOTP requests. As soon
as you use the software Intel supplies to configure them, they lock
management down to the IP address of the management station. They can also
send out SNMP traps when people connect from unauthorized IP addresses or
use bad passwords.

        Somebody had to assign that switch an IP address and password but not set
any limits on what IP addresses could manage it. That's not particularly
bright.

        As for whether breaking connections after a fixed number of tries is a good
idea, I don't believe it is. It's no harder to write a program to try 1000
passwords on one connection than it is to write one to try one password,
disconnect, and repeat. So how would that provide any protection against
brute force attacks?

        DS
Previous By Date Next
Previous By Thread Next

Current thread: