Bugtraq mailing list archives

Re: Bay Networks Security Hole

From: BERI () ETF BG AC YU (Berislav Todorovic)
Date: Fri, 15 May 1998 19:53:00 +0100


Kirby Dolak wrote:

2. Bay recommends that both accounts (User and Manager) have passwords
assigned. Both have default/null passwords as they ship from the factory,
just like a Unix system.  The administrator should immediately take
measures to secure the system, at initial system install, so that an
unauthenticated user/manager doesn't have
access to device management information, such as the community names and
addresses via telnet/console.


Gert Doering wrote:

I like the way Cisco approaches this issue.
And if you are logged in to an unprivileged account, you cannot become
superuser unless you have already set the enable password from the console.

This is VERY good.

No need to "recommend" anything, it's just "secure out of the box".  If
you neglect to configure the password, it just isn't accessible at all
(except from the physical console).


Sounds reasonable to me to apply good password on User/Manager accounts and
thus secure the box. I'm wondering, however, what's the real raison d'etre
of two privilege levels, if I can obtain a more privileged information from
a higher-privileged level. The basic function of a non-privileged level is
to give it to the remote support officer, ISP engineer or to a responsible
person from the network peering with my network, according to the ripe-037
document.

Well, I also wouldn't like to recommend anything, but here are the facts:
Cisco IOS gives the possibility to define up to 16 different privilege
levels, with strictly defined rights. IOS, further, allows to define a
restricted set of commands, which may be executed from each privilege
level. I can, thus, give this type of access to the peering ISP personnel
for the purpose of monitoring without any fear ... At last - try to telnet
to route-views.oregon-ix.net - a Cisco box with public access! No password!

Now, what to do with a Bay box, located in the middle of a network? Sit and
cry! When your peer ISP asks you to take a look at your router config,
you'll have to log into it yourself and read them (oops, sorry - not to
"log in" - you'll have to start a "user-friendly" SNMP client, drink a
coffee until it brings itself up completely, then click, click, click ...).

I can talk about fun with Bay routers for hours, but that's another story.

Best regards,
Beri

.-------.
| --+-- |  Berislav Todorovic, B.Sc.E.E.     | E-mail: BERI () etf bg ac yu
|  /|\     Hostmaster of the YU TLD          |
|-(-+-)-|  School of Electrical Engineering  | Phone:  (+381-11) 3221-419
|  \|/     Bulevar Revolucije 73             |                   3370-106
| --+-- |  11000 Belgrade SERBIA, YUGOSLAVIA | Fax:    (+381-11) 3248-681
`-------' --------------------------------------------------------------------

Current thread:

security holes, notification protocols, and a clarification, (continued)
- - security holes, notification protocols, and a clarification Michael Tiemann (May 14)
    - pingflood.c AntireZ (Apr 09)
    - Re: pingflood.c Solar Designer (May 18)
    - Toshiba notebooks BIOS password backdoor Rop Gonggrijp (May 15)
    - Re: Toshiba notebooks BIOS password backdoor Aleph One (May 15)
    - May SysAdmin man.sh security hole Aleph One (May 16)
    - kde exploit Catalin Mitrofan (May 16)
    - Re: kde exploit Aleph One (May 16)
    - Re: security holes, notification protocols, and a clarification Elmer Joandi (May 15)
    - Re: security holes, notification protocols, and a clarification Nathan Neulinger (May 15)
- Re: Bay Networks Security Hole Berislav Todorovic (May 15)