Bugtraq mailing list archives

Re: [In]security in USR TotalSwitch

From: adam () IEXPOSURE COM (Adam Maloney)
Date: Mon, 21 Dec 1998 14:52:29 -0600


Normally I would've bought a Cisco switch, or a different 3com switch, but
these guys were so cheap, i couldn't resist.

I recently upgraded to the newest version of the firmware, and the
vulnerability still exists.

The version I'm using is 2.2 released on 10/30/97  There is no mention of
any newer version in their totalsupport download area.

Where did you see the patch?  I can't find any mention of it.

Thanks,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                  Adam Maloney
            Systems  Administrator
                Internet  Exposure
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-----Original Message-----
From: Lou Anschuetz <lou () ZAPHOD ECE CMU EDU>
To: BUGTRAQ () netspace org <BUGTRAQ () netspace org>
Date: Monday, December 21, 1998 2:35 PM
Subject: Re: [In]security in USR TotalSwitch

I searched the archives, with no luck finding anything about this.

Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 /

100 /

fddi / whatever, and a network management card) units went up for

auction,

and I know a lot of people purchased them, hence my concern.

The switch is managable via snmp, telnet or a console port.  Using the
management features, you can disable / enable certain ports, configure IP
routes and such.  The management software allows you to set a password to
access the switch (either by telnet or the console).

Of course, there is a back-door so techs could reset or debug the unit if
they didn't have the password.  Unfortunately, this backdoor is not

limited

to the console port like it should be.  It is possible to telnet to the
switch, enter a "secret code" (which is readily available, for everyone's
sake I won't give it out here) and do a memory dump to see the plaintext
password.

Solution:  3COM - limit this functionality to the console port ONLY.
End-user - add an access list to filter telnet to your switch's IP

address

from outside your network.

P.S. If anyone knows where to get the 100btx cards for this thing, please
e-mail me!

Reguards,

3COM did put out a patch for this, though it was rather quietly -
it also effects all CoreBuilder switches. Fortunately, I only buy
un-managed 3COM stuff. Everything that is a switch (or above) is
Cisco.

--
-
Lou Anschuetz, lou () ece cmu edu
Network Manager, ECE, Carnegie Mellon University

Current thread:

[In]security in USR TotalSwitch Adam Maloney (Dec 15)
- DCC HiJacking patch for BitchX 75p1 Alessio Orlandi (Oct 18)
  - Re: DCC HiJacking patch for BitchX 75p1 Andy Dills (Dec 21)
  - Re: DCC HiJacking patch for BitchX 75p1 Ben Winslow (Dec 21)
  - Re: DCC HiJacking patch for BitchX 75p1 mikey (Dec 22)
    - Re: DCC HiJacking patch for BitchX 75p1 YounGoat (Dec 22)
- Re: [In]security in USR TotalSwitch Lou Anschuetz (Dec 21)
- <Possible follow-ups>
- Re: [In]security in USR TotalSwitch Adam Maloney (Dec 21)