Greetings! Scanning our network with a router detection software, we detected that requests routed via the management IP address of the hub seemed to be routed onward. If the embedded management really did routing, this could be abused to circumvent network separation schemes (e.g. separate management and user networks). The system in question is 3Com SuperStack-II Dual Speed Hub 500 Hardware 01.01.01 Software 1.11 Boot PROM 0.04 "Newer" releases (2.10 and up, which are some years old by themselves) do not show this behaviour. Firmware updates are (as always) available for free from 3Com. Further testing showed that the old hub firmware does NOT route at all. It just (falsely) answers all ICMP echo-request packets sent to its hardware (MAC) address regardless the destination IP address. As most router-detection schemes simply use Ping (ICMP) to test for routing function you'll get a False Positive from hubs equipped with the old firmware. So re-checking those alerts with a manual test with a real TCP connections (e.g. manual HTTP request) is (as always) highly recommended. Solutions: - install current firmware to the hub(s) - double-check router-detection alerts So no, 3Com SuperStack II hubs with old/ancient firmware do not do routing, even if your router detector told you otherwise... Bye Volker Tanger PS: Adventurous hackers could try to abuse this and fake a system "alive" to an ICMP-only NMS station. But as you need an on-line ARP-spoofing station for such a treat anyway, this is more an academic possibility. -- ITK-Security discon gmbh DeTeWe AG & Co. KG Fon +49 30 6104-3307 Fax +49 30 6104-3435 http://www.detewe.de/
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 21:44:22 PDT