Nortel CVX 1800s will dump all local user names and passwords via SNMP

[Michael Rawls <bugtraq () shadowstorm com>]

 The Nortel CVX 1800 is a modem bank containing up to 2600 modems per box.
Many ISP's are using them for their dial-up customers.
  
 While querying the CVX-1800 for SNMP codes to use in a modem statistics
program I was writing, I discovered the CVX-1800 will spill out all user
names and passwords in clear text for locally configured telnet accounts.
These are the accounts used to configure the CVX itself, and not the user
names and passwords of dialed up users. 

To retrieve the information under Linux I used the following command syntax;

snmpwalk CVX-IP-ADD-RESS public .1

 If you have a Nortel CVX-1800 and you have not changed your SNMP community
string to something other than public, you are vulnerable to anyone who can
reach the box including the dial-up users. Do not assume dial-up users
cannot determine the IP address of the CVX.  Typing "route" on a Linux box
dialed up to the CVX will display the IP address of the CVX as the default
gateway.  Windows will show it's assigned dial-up IP address as the default
gateway.
 I notified Nortel Support of my find back in February of this year.  The
CVX-1800 software versions I tested this on was 3.6.3p24 and 3.6.3p5.

Fix: Change your SNMP community string to something other than it's default
value of public.

-Michael Rawls