Date: Mon, 21 Dec 1998 14:52:29 -0600 From: Adam Maloney Reply-To: Bugtraq List To: BUGTRAQ@netspace.org Subject: Re: [In]security in USR TotalSwitch [ The following text is in the "iso-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] Normally I would've bought a Cisco switch, or a different 3com switch, but these guys were so cheap, i couldn't resist. I recently upgraded to the newest version of the firmware, and the vulnerability still exists. The version I'm using is 2.2 released on 10/30/97 There is no mention of any newer version in their totalsupport download area. Where did you see the patch? I can't find any mention of it. Thanks, -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Adam Maloney Systems Administrator Internet Exposure -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----Original Message----- >From: Lou Anschuetz To: BUGTRAQ@netspace.org Date: Monday, December 21, 1998 2:35 PM Subject: Re: [In]security in USR TotalSwitch >> I searched the archives, with no luck finding anything about this. >> >> Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 / 100 / >> fddi / whatever, and a network management card) units went up for auction, >> and I know a lot of people purchased them, hence my concern. >> >> The switch is managable via snmp, telnet or a console port. Using the >> management features, you can disable / enable certain ports, configure IP >> routes and such. The management software allows you to set a password to >> access the switch (either by telnet or the console). >> >> Of course, there is a back-door so techs could reset or debug the unit if >> they didn't have the password. Unfortunately, this backdoor is not limited >> to the console port like it should be. It is possible to telnet to the >> switch, enter a "secret code" (which is readily available, for everyone's >> sake I won't give it out here) and do a memory dump to see the plaintext >> password. >> >> Solution: 3COM - limit this functionality to the console port ONLY. >> End-user - add an access list to filter telnet to your switch's IP address >> from outside your network. >> >> P.S. If anyone knows where to get the 100btx cards for this thing, please >> e-mail me! >> >> Reguards, >> >3COM did put out a patch for this, though it was rather quietly - >it also effects all CoreBuilder switches. Fortunately, I only buy >un-managed 3COM stuff. Everything that is a switch (or above) is >Cisco. > >-- >- >Lou Anschuetz, lou@ece.cmu.edu >Network Manager, ECE, Carnegie Mellon University