Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FlowPoint ADSL Reported Problem

From: dbrumley () GOJU STANFORD EDU (David Brumley)
Date: Wed, 14 Apr 1999 20:33:41 -0700



Recently there was a note in the bug list (below) indicating that
FlowPoint Routers do not set an administration password.  This statement
is false, but the vulnerability of the router to folks not changing the
default router password is well known.


What's false about the statement?  Is there or is there not either
a. a universal password (say, admin) as some reported
b. no password at all
and full telnet access open by default?



Our GUI asks the user to change the password.


And suppose your GUI isn't supported on my OS?



Release 3.0.2 onwards requires the user to enter the password
to access any information via the console or telnet.



[--snip--]
Okay, here starts the recommendation for *admins*.  This is exactly what I
was pointing out.  Thanks for giving examples.

However, it has nothing to do with your product doing something bad in the
first place.  Out of the box I can control your router.

Why don't you disable SNMP and telnet when a password isn't set like some
router companies?  Or perhaps have the default password unique to each
machine...say the serial number and turn off SNMP completely?  This would
limit the threat to those with physical access, and considering where most
aDSL's are found, i don't think it'd be a big problem.  Half a dozen other
possible solutions spring to mind.  Offline I'd be happy to discuss them
with you.

Incident response teams all over have noted that users with cable modems
have been targeted by some nefarious individuals.  As aDSL moves into this
market, naturally the kiddies will want to take advantage of it.  This is
the number one reason you, me, and every  other aDSL user should be
concerned.

Cheers,
-db



-----Original Message-----
From:       David Brumley [SMTP:dbrumley () GOJU STANFORD EDU]
Sent:       Tuesday, April 13, 1999 11:02 PM
Subject:    aDSL routers

Welp, aDSL is here.  And at least one manufacturer, flowpoint, sets no
admin password.  It's in the documentation, so I assume the
company already knows about this vulnerability:) System managers
who have aDSL access often overlook this, so I thought I'd point it out.
A quick fix: disable telnet access to all of your aDSL router IP's.
Better fix: set an admin password.

Version tested:
FlowPoint/2000 ADSL Router
FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998

Cheers,
-db
Previous By Date Next
Previous By Thread Next

Current thread: