Full Disclosure mailing list archives
Undocumented account vulnerability in Enterasys Vertical Horizon switches
From: Jacek Lipkowski <sq5bpf () andra com pl>
Date: Tue, 21 Jun 2005 03:41:25 +0200 (CEST)
1. Problem DescriptionAn undocumented account with a default password exists, additionally guest users can DoS the switch.
2. Tested systems The following versions were tested and found vulnerable: Vertical Horizon VH-2402S with firmware 02.05.00 Vertical Horizon VH-2402S with firmware 02.05.09.07All publically software versions before 2.05.09.08 are assumed to be vulnerable. Additionally firmware for other Vertical Horizon switches has been released on similar dates and according to the release notes the vulnerability might be also present there.
3. Details The undocumented account is user tiger with password tiger123Additionally there are some debug commands available to all users after pressing ctrl-f, ctrl-b, ctrl-g or ctrl-l when logged in via the serial console or telnet. The write commands available after pressing ctrl-g can be harmful to the switch - allowing any valid user including guest user to remotely disable the switch.
4. RecommendationsAs always it is good administrative practice to block access to administrative interfaces (telnet, web, snmp) at the firewall. Upgrading to firmware version 02.05.09.08 solves both problems: the undocumented
account is removed and the debug commands are only avaliable to users with administrative privlidges. 5. Vendor statusEnterasys was informed on Mar 8 2005. The vendor responded on Mar 10 2005. The fixed software is available from the Enterasys support site http://www.enterasys.com/download/download.cgi?lib=vh
since June 16 2005. Unfortunately the vendor doesn't want to follow theroute of responsible full disclosure by not giving the researcher proper credit.
6. Disclaimer Neither I nor my employer is responsible for the use or misuse of information in this advisory. The opinions expressed are my own and not of any company. Any use of the information is at the user's own risk. Jacek Lipkowski sq5bpf at andra com pl Andra Co. Ltd. ul Pryzmaty 6/8 02-226 Warsaw, Poland http://www.andra.com.pl _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Undocumented account vulnerability in Enterasys Vertical Horizon switches Jacek Lipkowski (Jun 20)