One could assume that since they set no admin password, yet discuss it in the documentation that it's not really a security flaw, but stupidity on the part of lazy system managers. If Flowpoint set the admin password to their equipment to the same string on all shipped routers, this would be no different than not resetting the default password to something else. You should always read the manuals for your equipment, and always pay attention to the details like them suggesting you set or change a password. -- Joseph W. Shaw - jshawat_private Freelance Computer Security Consultant and Perl Programmer Free UNIX advocate - "I hack, therefore I am." On Tue, 13 Apr 1999, David Brumley wrote: > Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no > admin password. It's in the documentation, so I assume the > company already knows about this vulnerability:) System managers > who have aDSL access often overlook this, so I thought I'd point it out. > A quick fix: disable telnet access to all of your aDSL router IP's. > Better fix: set an admin password. > > Version tested: > FlowPoint/2000 ADSL Router > FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00) > Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998 > > Cheers, > -db >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:27 PDT