Oops - that last letter was supposed to be from me (alecat_private), and NOT Microcom Support - sorry for the confusion (gotta make a few modifications to this email prog ;) On 03-Jun-98 Microcom Support wrote: > Enclosed is a message that I sent to Compaq/Microcom's technical support > about their Microcom 6000 access integrators. There is a DoS as well as a > brute-force password attack on these systems. I received a canned reply from > their technical team, but have yet to hear anything else from them, and this > was early June. I spoke with their technical support on the phone, and the > answer to this problem is to turn off telnet access. That's it - there was a > message in their call reference that there is no plans to upgrade or modify > the pShell (pSOS). Just thought that people should know that Compaq/Microcom > do not seem to care about security, nor do they seem to care that security > is an issue for their customers. And I am assuming that since the 6000 Acess > Integrator is their flagship model, these problems are present in all Acess > Integrator models > BTW: The OS versions that I reported in my letter to Microcom are > incorrect. I was reading the wrong information - the correct version is > 4.0.13, and the latest version of the software is 4.0.15 (and 5.0 is in > beta, according to the technician). There are no security changes from > 4.0.13 to 4.0.15, AFAIK. > > -----FW: <01BD8EFC.379275D0.supportat_private>----- > > Date: Wed, 3 Jun 1998 14:30:54 +0100 > From: Microcom Support <supportat_private> > To: "alecat_private" <alecat_private> > Subject: FW: Support Query > > Additional: > > If you wish to contact us with regard to this matter please quote Call > Ref#: 305752. The best people to talk to about this would be at : > > Microcom Inc. > 500 River Ridge Drive, > Norwood. > MA 02062 > > Hardware : Tel +1 (781) 551-1313 > Carbon Copy : Tel +1 (781) 551-1414 > Fax : +1 (781) 551-1898 > BBS : +1 (781) 551-4750 > ______________________ > > Thank you for bringing this matter to our attention. I have forwarded this > eMail to our central site products technical team who will address the > situation. We will contact you again in due course. > > Best regards, > > Microcom : Compaq Access Solutions Division. > > Online Support - supportat_private > WWW - www.microcom.com > FTP - ftp.microcom.com > > PLEASE INCLUDE THIS EMAIL IN ALL FUTURE COMMUNICATIONS ON THIS SUBJECT > > -----Original Message----- > From: alecat_private [SMTP:alecat_private] > Sent: Wednesday, June 03, 1998 8:58 AM > To: supportat_private > Subject: Support Query > > On Wednesday, June 3, 1998 at 03:58:02, the following data was submitted > from http://www.microcom.com/support/feedback/index.html > > First Name Alec > Middle Initial A > Last Name Kosky > Company Dakota Communications > Title System Admin/Programmer > Country United States > Email alecat_private > User Type End User > Product CM6K-Series > Other Product > Software or Firmware Version pSOS > Operating System > Platform used > Query This set of comments/questions is directed to > the security guys. We currently use a Microcom 6100 Access Integrator, and > I believe the firmware/OS is subject to a possible denial of service > attack, as well as a possible brute force attempt to guess the password. I > believe the OS on the system is pSOS 6.02 for the MNC card and 6.01 for the > PRI card. > The denial of service problem is this: there is no timeout when typing > in the username and password - from what I have seen, a user can make a > telnet connection to the MNC or PRI card and leave the connection open > indefinitely. If the user only has one connection open, then this is not > problem. However, the system will not accept more than 4 telnet connections > at one time. Thus, a malicious user/hacker could open 4 telnet connections > to either (or both cards) and deny all legitimate connections to the card. > The other problem is that the system does not close the connection after > a specified number of invalid login attempts. A program such as 'crack' > could be modified to work over a network and attempt to guess the > administrator's password. > Neither of these are acceptable on any system, let alone a company's > flagship model. First, I would like to know if there is a firmware/OS > update (upgrade?) available to fix these problems, and second, if there is > no upgrade available, will one be available soon? > > --------------End of forwarded message------------------------- > > --Alec-- --Alec--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:28 PDT