Regarding: 3Com OfficeConnect 812/840 Router DoS exploit code

[Tom_Kinahan () ne 3com com]

Hello,

 As the Product Manager of the 3Com Office Connect Remote 812 and 840, I have
the following response:

 It appears that both individuals posting on these products have not taken the
opportunity to download the software patch for the OCR812 router software
version 1.1.9. In responding to the specific points below, however, it is
certainly possible to employ port filtering on the WAN interface for ports 23
and 53 if the customer desires, following the same methodology as the port 80
filter available on the 3Com web site
(http://support.3com.com/infodeli/tools/remote/ocradsl/http_filtering.pdf).

 More to the point however, our customers have requested that these routers be
managed remotely from the WAN by default. In most cases, they also employ
another method supported on these products called access lists. Access lists
will only allow ip addresses in the range configured to access the management
interfaces. For details on Access Lists see the Command Line Interface manual
available at:

http://support.3com.com/infodeli/tools/remote/ocradsl/20/812_cli20.pdf

 Page 6-31 details how access lists are configured.

 I suggest that if access lists are used and used properly, the DoS issues below
 do not exist.

The OCR840 never had a software version as indicated below. What version was
this verified against?

-Tom Kinahan
Product Manager
OCR812/OCR840/OCR612

> ----- Original Message -----
> "BugTraq" <BUGTRAQ () SECURITYFOCUS COM>
> Sent: Sunday, September 23, 2001 11:09 AM
> Subject: Re: 3Com OfficeConnect 812/840 Router DoS exploit code


> > // 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe others)

> Filtering port 80 on the WAN interface is enough to prevent this DoS. Port
> 53 UDP and port 23 telnet are also wide open by default. In fact, this is
> (IMHO) a bad symptom of lack of care in security.

> As another issue, 3com 812 ADSL routers do NAT. This is great since you plug
> in up to 40 PCs and do not have to care very much about settings. However,
> the TCP/IP stack of these routers shamelessly uses fixed-increment ISNs on
> packets, thus making a connection hijack / spoofing attack fairly simple.
> Since they do NAT, every outbound packet suffers of this "carelessness".

> I hope that someone from 3com hears us here... since on their whole site
> there is NO SECURITY CONTACT whatsoever. This is another bad sign for a
> network hardware vendor.

> Stefano "Raistlin" Zanero
> System Administrator Gioco.Net
> public PGP key block at http://gioco.net/pgpkeys

> --------------------------------------------------------------------------------------------------------------------
> // 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe others)
> // security is weak
> // Written pour sniffer <sniffer () sniffer net>
> // Fri Sep 21 15:51:35 BRT 2001
> // Viva Brazil!

> vulnerable
>    3com OfficeConnect DSL Router 812 1.1.7
>    3com OfficeConnect DSL Router 840 1.1.7

>      .---.        .----------    Bruno Lacerda Ratnieks,
>     /     \  __  /    ------    Technical Comm Developer
>    / /     \(  )/    -----     Openweb Consultoria e Desen.
>   //////   ' \/ `   ---

««-»»
>  //// / // :    : ---        email: bruno () sniffer net
> // /   /  /`    '--         mobile: (51) 983-665-40
> //          //..\\          icq: 11111117
>       ====UU====UU====    ««-»»
>           '//||\\`