Greetings!
Scanning our network with a router detection software, we detected that
requests routed via the management IP address of the hub seemed to be
routed onward. If the embedded management really did routing, this could
be abused to circumvent network separation schemes (e.g. separate
management and user networks).
The system in question is
3Com SuperStack-II Dual Speed Hub 500
Hardware 01.01.01
Software 1.11
Boot PROM 0.04
"Newer" releases (2.10 and up, which are some years old by themselves)
do not show this behaviour. Firmware updates are (as always) available
for free from 3Com.
Further testing showed that the old hub firmware does NOT route at all.
It just (falsely) answers all ICMP echo-request packets sent to its
hardware (MAC) address regardless the destination IP address.
As most router-detection schemes simply use Ping (ICMP) to test for
routing function you'll get a False Positive from hubs equipped with the
old firmware. So re-checking those alerts with a manual test with a real
TCP connections (e.g. manual HTTP request) is (as always) highly
recommended.
Solutions:
- install current firmware to the hub(s)
- double-check router-detection alerts
So no, 3Com SuperStack II hubs with old/ancient firmware do not do
routing, even if your router detector told you otherwise...
Bye
Volker Tanger
PS: Adventurous hackers could try to abuse this and fake a system
"alive" to an ICMP-only NMS station. But as you need an on-line
ARP-spoofing station for such a treat anyway, this is more an
academic possibility.
--
ITK-Security
discon gmbh
DeTeWe AG & Co. KG
Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/
This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 21:44:22 PDT