Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: aDSL routers

From: truman () SUPERLINK NET (Truman Boyes)
Date: Wed, 14 Apr 1999 18:01:07 -0400

 There are two levels of access on these units. Basic telnet access will
provide limited commandset. These would leave the user with the ability to
'ping', list system info, show processes, and list the routing table.
There is another level which provides more options and rights is available
only by logging into the unit with password from the command line
interface.

Like most routers on networks, access should be restricted with access
control lists. You can set this by using 'system addTelnetFilter' and
specifying an IP range.


Version Tested:
FlowPoint/2200 SDSL [ATM] Router
FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)


.truman.boyes.

On Tue, 13 Apr 1999, David Brumley wrote:


Welp, aDSL is here.  And at least one manufacturer, flowpoint, sets no
admin password.  It's in the documentation, so I assume the
company already knows about this vulnerability:) System managers
who have aDSL access often overlook this, so I thought I'd point it out.
A quick fix: disable telnet access to all of your aDSL router IP's.
Better fix: set an admin password.

Version tested:
FlowPoint/2000 ADSL Router
FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998

Cheers,
-db
Previous By Date Next
Previous By Thread Next

Current thread: