Re: (ASCEND) ** >= Ascend 5.0A SECURITY ALERT **

[kevin () ASCEND COM (Kevin Smith)]

This issue has been assigned immediately to high-priority problem report for
tracking - engineering are currently working on a fix and formulating advise
for a short-term workaround (filters).

> TR#1921 - Max4000 (ti) resets - FE1 - 5.0Ap1(telnetting to port 150)
> SW Version: 5.0Ap1
> Status: Open      Assign: Engineering      Priority: High
> ---------------------------------------------------------------------------
-------------------
> o Hardware/Software
> Max4000 running 5.0Ap1 (ti.m40)
>
> o Problem description
> Customer is telnetting to port 150 on Max4000.
> He gets a login prompt and enters a valid user name/password.
> He gets access to terminal server.
> By entering some commanda, he can cause the Max to reset with an FE1.

> From earlier:

> FYI, port 150 is not undocumented. It is described in the 5.0a release
> notes on page 59 of the Max/T1 manual and page 62 of the Max/E1 manual.
>
> It was also introduced months ago in an incremental release. I'm sure our
> support engineers are working on the bug you reported and will soon have a
> fix.
>
>
> Matt Holdrege  -  http://www.ascend.com  -  mholdrege () ascend com

At 03:18 PM 2/26/97 -0800, Kit Knox wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> ** IMPORTANT - PLEASE READ *********************************************
>
> There exists a new feature in the 5.0A series of releases for the MAX which
> allow a user to reboot your Ascend MAX at will.  This is done via an
> undocumented login entry point that has been introduced without notice to
> the public by Ascend.
>
> Users can telnet to a max on port 150 and the Max will act as though the
> call came in via a T1 etc.  Using this and another bug a user can cause the
> max to reboot.  The exact sequence to cause the reboot has been reported to
> Ascend and I am waiting for an official response.  After a fix has been made
> available I will immediatly release the details.  In the meantime it is
> HIGHLY reccomended that you filter access for incoming tcp to port 150.
>
> If you are not running 5.0A or above please report back to the list if your
> max accepts a telnet to port 150 so we can figure out which release this
> "feature" was introduced silently.
>
> The Max's seem to now also answer on port 1723.  Anyone know what this is
> used for?
>
> This whole thing smells of the non-zero length tcp offsets bug from awhile
> back.  Sigh.
>
> ************************************************************************
>
> =========================================================================
> Kit Knox - <kit () connectnet com> - System Administrator - Finger for Key
> CONNECTnet INS, Inc. - 6370 Lusk Blvd Ste F#208 - San Diego, CA 92121
> (619) 638-2020 - (619) 638-2024 Voicemail/Pager - (619) 450-3216 FAX
> Key fingerprint =  6F E3 79 52 10 6B AB 08  FF 4D 11 51 2A A6 26 2B
> =========================================================================
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBMxTEmgQB0nvJDyi5AQHTDgP/eOhWj8HXx+kcw2rCgilA17OOGPbz4Rwo
> /ijMMkLvGSGr/a72ZI6+h9/zfSUpFe+sjg9pqVxsestDX7hDQYgyykK+OmCXrPQc
> 6oyhmu04XADOXRAyeGA78rImnMOSOYLB/wVEL9j43JXnxVNFqjqZ78jASFLZmx9X
> bYS8amtxLGE=
> =gVlV
> -----END PGP SIGNATURE-----
>
> ++ Ascend Users Mailing List ++
> To unsubscribe:        send unsubscribe to ascend-users-request () bungi com
> To get FAQ'd:  <http://www.shore.net/~dreaming/ascend-faq>
> or             <ftp://ftp.shore.net/members/dreaming/ascend-faq.txt>

Kevin Smith                              Updated Service and Support
Senior Technical Support Engineer        Resources are now at:
Customer Satisfaction
Ascend Communications                    http://www.ascend.com/service