N-Base Vulnerability Advisory Followup

[ttsg () TTSG COM (TTSG)]

                    The Telecom Security Group
                     http://www.ttsg.com/TTSG/


                ** TTSG VULNERABILITY ADVISORY **
                        **FOLLOWUP**

Summary:

Date:                   July 22, 1998
Subject:                N-Base vulnerability followup
Contact Address:        nbase () ttsg com
Result:                 Comprimise security of switch, or render
                                inoperable
--------------------------------------------------------------------------
Introduction:

  On July 20,1998 The Telecom issued a "Vulnerability Advisory"
concerning N-Base products (http://www.ttsg.com/TTSG/nbase.advisory.txt).
It was then mailed to the "BUGTRAQ" mailing list.
(http://www.geek-girl.com/bugtraq/1998_3/0184.html).

  That same day, Geoff Cummings (geoff () NBASE COM) posted a reply
(http://www.geek-girl.com/bugtraq/1998_3/0201.html). Parts of that
reply are included in the followup without the authors permission,
however, since it was posted in a public list and has been archived
we believe this is acceptable since we have given him credit.

  The author of the original advisory then requested the following
followup be distributed.(http://www.ttsg.com/TTSG/nbase.advisory.followup.txt).
(It is in an email reply format to Geoff Commins' email to the Bugtraq
list)

  If there are any future followups, they will be posted on
http://www.ttsg.com/TTSG/ , and emailed to the Bugtraq list sans the
headers and copyright/trademark.  This is not to imply they are not still
in effect.

===========================================================================
Geoff Cummins <geoff () NBASE COM> writes:
> Currently, supported switches with the following ROM updates do have real
> fixes for password/tftp problems.
>
> For MegaSwitch II:    Model           ROM
>                       NH2012          2.54
>                       NH2012R         2.54
>                       NH2015          2.51
>                       NH2048          1.33
>
> With these configurations you can do the following to fix these problems.

  What about your other switches, such as the NH2016? How about the NH208/
215?

  No notice of these problems (nor any notice about the fix) was sent to your
customers (or at least neither I nor 2 other customers I speak to regularly
have heard anything). From correspondence with security contacts at some of
your OEM's, they were not notified either. There doesn't seem to be any infor-
mation on the N Base web site or FTP servers. I don't see how existing cus-
tomers are expected to discover the problem and that a fix is available for
some (but not all) N Base products.

  Why was there no response to the two original security reports sent to N
Base?

  Why are there still default passwords at all, and why should customers have
to do a:

> set-full-sec enable  (this disables the backdoor passwords)
>
> set-sw-file  XXX     (where XXX is the name you want to call your SNMP
>                       software update file)
>
> set-par-file XXX     (where XXX is the name you want to call your
>                       parameters file)
>
> del-user user       (By default there are two users "super", and "user".
>                      "super" has supervisor priveldges, "user" is just a
>                      default.  To secure the system, you should delete
>                      the "user" account.)

  in order to "secure their switches"? Shouldn't the default provide a reason-
able level of security?
===========================================================================
The Telcom Security Group
PO Box 69
Newburgh, NY 12551
1.800.596.6882
http://www.ttsg.com/TTSG/
===========================================================================
Copyright July 1998  The Telcom Security Group

The information in this document is provided as a service from The Telecom
Security Group (TTSG).  Neither TTSG, nor any of it's employees, makes
any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or
services by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or
favoring by TTSG.  The views and opinions of authors express herein do no
necessarily state or reflect those of TTSG, and may not be used for
advertising or product endorsement purposes.

The material in this vulnerability advisory may be reproduced and distributed,
without permission, in whole or in part, by other security incident
response teams (both commercial and non-commercial), provided the above
copyright is kept intact and due credit is given to TTSG.

This vulnerability advisory may be reproduced and distributed, without
permission, in its entirety only, by any person provided such
reproduction and/or distribution is performed for non-commercial
purposes and with the intent of increasing the awareness of the Internet
community.

===========================================================================

Trademarks are property of their respective holders.