The Telecom Security Group http://www.ttsg.com/TTSG/ ** TTSG VULNERABILITY ADVISORY ** **FOLLOWUP** Summary: Date: July 22, 1998 Subject: N-Base vulnerability followup Contact Address: nbaseat_private Result: Comprimise security of switch, or render inoperable -------------------------------------------------------------------------- Introduction : On July 20,1998 The Telecom issued a "Vulnerability Advisory" concerning N-Base products (http://www.ttsg.com/TTSG/nbase.advisory.txt). It was then mailed to the "BUGTRAQ" mailing list. (http://www.geek-girl.com/bugtraq/1998_3/0184.html). That same day, Geoff Cummings (geoffat_private) posted a reply (http://www.geek-girl.com/bugtraq/1998_3/0201.html). Parts of that reply are included in the followup without the authors permission, however, since it was posted in a public list and has been archived we believe this is acceptable since we have given him credit. The author of the original advisory then requested the following followup be distributed.(http://www.ttsg.com/TTSG/nbase.advisory.followup.txt). (It is in an email reply format to Geoff Commins' email to the Bugtraq list) If there are any future followups, they will be posted on http://www.ttsg.com/TTSG/ , and emailed to the Bugtraq list sans the headers and copyright/trademark. This is not to imply they are not still in effect. =========================================================================== Geoff Cummins <geoffat_private> writes: > Currently, supported switches with the following ROM updates do have real > fixes for password/tftp problems. > > For MegaSwitch II: Model ROM > NH2012 2.54 > NH2012R 2.54 > NH2015 2.51 > NH2048 1.33 > > With these configurations you can do the following to fix these problems. What about your other switches, such as the NH2016? How about the NH208/ 215? No notice of these problems (nor any notice about the fix) was sent to your customers (or at least neither I nor 2 other customers I speak to regularly have heard anything). From correspondence with security contacts at some of your OEM's, they were not notified either. There doesn't seem to be any infor- mation on the N Base web site or FTP servers. I don't see how existing cus- tomers are expected to discover the problem and that a fix is available for some (but not all) N Base products. Why was there no response to the two original security reports sent to N Base? Why are there still default passwords at all, and why should customers have to do a: > set-full-sec enable (this disables the backdoor passwords) > > set-sw-file XXX (where XXX is the name you want to call your SNMP > software update file) > > set-par-file XXX (where XXX is the name you want to call your > parameters file) > > del-user user (By default there are two users "super", and "user". > "super" has supervisor priveldges, "user" is just a > default. To secure the system, you should delete > the "user" account.) in order to "secure their switches"? Shouldn't the default provide a reason- able level of security? =========================================================================== The Telcom Security Group PO Box 69 Newburgh, NY 12551 1.800.596.6882 http://www.ttsg.com/TTSG/ =========================================================================== Copyright July 1998 The Telcom Security Group The information in this document is provided as a service from The Telecom Security Group (TTSG). Neither TTSG, nor any of it's employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or services by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by TTSG. The views and opinions of authors express herein do no necessarily state or reflect those of TTSG, and may not be used for advertising or product endorsement purposes. The material in this vulnerability advisory may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to TTSG. This vulnerability advisory may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. =========================================================================== Trademarks are property of their respective holders.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:07:25 PDT