`Date: Tue, 13 Apr 1999 23:01:50 -0700
From: David Brumley <[email protected]>
To: [email protected]
Subject: aDSL routers
Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
admin password. It's in the documentation, so I assume the
company already knows about this vulnerability:) System managers
who have aDSL access often overlook this, so I thought I'd point it out.
A quick fix: disable telnet access to all of your aDSL router IP's.
Better fix: set an admin password.
Version tested:
FlowPoint/2000 ADSL Router
FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
Cheers,
-db
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 15:14:21 -0500
From: Joe Shaw <[email protected]>
To: [email protected]
Subject: Re: aDSL routers
One could assume that since they set no admin password, yet discuss it in
the documentation that it's not really a security flaw, but stupidity on
the part of lazy system managers. If Flowpoint set the admin password
to their equipment to the same string on all shipped routers, this
would be no different than not resetting the default password to
something else.
You should always read the manuals for your equipment, and always pay
attention to the details like them suggesting you set or change a
password.
--
Joseph W. Shaw - [email protected]
Freelance Computer Security Consultant and Perl Programmer
Free UNIX advocate - "I hack, therefore I am."
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 18:01:07 -0400
From: Truman Boyes <[email protected]>
To: [email protected]
Subject: Re: aDSL routers
There are two levels of access on these units. Basic telnet access will
provide limited commandset. These would leave the user with the ability to
'ping', list system info, show processes, and list the routing table.
There is another level which provides more options and rights is available
only by logging into the unit with password from the command line
interface.
Like most routers on networks, access should be restricted with access
control lists. You can set this by using 'system addTelnetFilter' and
specifying an IP range.
Version Tested:
FlowPoint/2200 SDSL [ATM] Router
FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
.truman.boyes.
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 19:01:35 +0000
From: Brad Zimmerman <[email protected]>
To: [email protected]
Subject: aDSL routers
This is also true on USWest's Cisco 675. Password is (hit the enter
key)... However, as far as I know, all ISP's using Cisco 675's are set
into bridging mode, which doesn't allow any remote access to the Cisco
675, save the serial cable.
Older USWest equipment, the Netspeed 202 and 204, used a default user name
(root) and a default password is (hit the Enter key)...
For both routers, the Netspeed and Cisco, the default password/login is listed right in the manual, for anyone to see.
In the future, I believe USWest intends to have customers set their Cisco
675's into routing mode. Or, at the very least, ISP's will begin supporting PPP over Ethernet, which means the Cisco routers
are set into routing mode, which will make many thousand customers vulnerable due to unauthorized remote access. I believe (but
not sure) that Verio has the ability to let customers set their modems into routing mode (using PPP over Ethernet)...
USWest *has* detailed changes to the Cisco 675, noting it's ability to do
do PPP over Ethernet along with what is required at the ISP end to perform
PPP over Ethernet.
> Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> admin password. It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
Brad Zimmerman
http://fubar.europa.com
"Taking over the world, one computer at a time."
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 23:40:00 -0700
From: Philip Rakity <[email protected]>
To: [email protected]
Subject: Re: FlowPoint ADSL Reported Problem
David,
Let me start by saying that I only saw the note at the end of my e-mail.
Snip--
It contained the statement > > > > > > Welp, aDSL is here. And at least
one manufacturer, flowpoint, sets no > > > admin password. It's in the
documentation, so I assume the
End Snip--
There is a universal default password. On this point we agree. However,
there is a password; and my response was related to the statement "sets no
admin password". Telnet and Console write access in the version of code
that you have requires that the password be entered. In release 3.0.2
onwards, Telnet and Console Read and Write access require the password be
entered. If the password is well known and NOT changed by the user there
is a security problem and on this point we agree.
In addition, we document, in our Quick Start book, that the user should
change the password as it is a security violation.
I also agree that we can do better and will look at your suggestions.
kind regards,
Philip Rakity
Vice President Product Development
FlowPoint Corporation
180 Knowles Drive
Suite 100
Los Gatos, CA 95030
USA
e-mail: [email protected]
phone: +1 (408) 364-8300
fax: +1 (408) 364-8301
On Wed, 14 Apr 1999, David Brumley wrote:
> >
> > Recently there was a note in the bug list (below) indicating that
> > FlowPoint Routers do not set an administration password. This statement
> > is false, but the vulnerability of the router to folks not changing the
> > default router password is well known.
>
> What's false about the statement? Is there or is there not either
> a. a universal password (say, admin) as some reported
> b. no password at all
> and full telnet access open by default?
>
> >
> > Our GUI asks the user to change the password.
>
> And suppose your GUI isn't supported on my OS?
>
> >
> > Release 3.0.2 onwards requires the user to enter the password
> > to access any information via the console or telnet.
> >
>
> [--snip--]
> Okay, here starts the recommendation for *admins*. This is exactly what I
> was pointing out. Thanks for giving examples.
>
> However, it has nothing to do with your product doing something bad in the
> first place. Out of the box I can control your router.
>
> Why don't you disable SNMP and telnet when a password isn't set like some
> router companies? Or perhaps have the default password unique to each
> machine...say the serial number and turn off SNMP completely? This would
> limit the threat to those with physical access, and considering where most
> aDSL's are found, i don't think it'd be a big problem. Half a dozen other
> possible solutions spring to mind. Offline I'd be happy to discuss them
> with you.
>
> Incident response teams all over have noted that users with cable modems
> have been targeted by some nefarious individuals. As aDSL moves into this
> market, naturally the kiddies will want to take advantage of it. This is
> the number one reason you, me, and every other aDSL user should be
> concerned.
>
> Cheers,
> -db
>
> > >
> > > -----Original Message-----
> > > From: David Brumley [SMTP:[email protected]]
> > > Sent: Tuesday, April 13, 1999 11:02 PM
> > > Subject: aDSL routers
> > >
> > > Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> > > admin password. It's in the documentation, so I assume the
> > > company already knows about this vulnerability:) System managers
> > > who have aDSL access often overlook this, so I thought I'd point it out.
> > > A quick fix: disable telnet access to all of your aDSL router IP's.
> > > Better fix: set an admin password.
> > >
> > > Version tested:
> > > FlowPoint/2000 ADSL Router
> > > FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> > > Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
> > >
> > > Cheers,
> > > -db
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 18:07:59 -0700
From: Philip Rakity <[email protected]>
To: [email protected]
Subject: FlowPoint ADSL Reported Problem
Recently there was a note in the bug list (below) indicating that
FlowPoint Routers do not set an administration password. This statement
is false, but the vulnerability of the router to folks not changing the
default router password is well known.
Our GUI asks the user to change the password.
Release 3.0.2 onwards requires the user to enter the password
to access any information via the console or telnet.
Access control to the router via telnet and snmp can be controlled via
access lists using the command
system addtelnetfilter <IP Addresses>
system addsnmpfilter <IP Addresses>
The SNMP Community name can be changed as well as the ports used to access
Telnet and SNMP. In addition, access to the router via SNMP and Telnet
can be turned off. The commands
system telnetport <Port No>
system snmpport <Port No>
A <Port No> of 0 stops access to the router.
In addition, an IP Filtering package similar to the Linux Firewall
capability is available as an option.
kind regards,
Philip Rakity
Vice President Product Development
FlowPoint Corporation
180 Knowles Drive
Suite 100
Los Gatos, CA 95030
USA
e-mail: [email protected]
phone: +1 (408) 364-8300
fax: +1 (408) 364-8301
>
> -----Original Message-----
> From: David Brumley [SMTP:[email protected]]
> Sent: Tuesday, April 13, 1999 11:02 PM
> Subject: aDSL routers
>
> Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> admin password. It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
>
> Version tested:
> FlowPoint/2000 ADSL Router
> FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
>
> Cheers,
> -db
>
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 20:33:41 -0700
From: David Brumley <[email protected]>
To: [email protected]
Subject: Re: FlowPoint ADSL Reported Problem
>
> Recently there was a note in the bug list (below) indicating that
> FlowPoint Routers do not set an administration password. This statement
> is false, but the vulnerability of the router to folks not changing the
> default router password is well known.
What's false about the statement? Is there or is there not either
a. a universal password (say, admin) as some reported
b. no password at all
and full telnet access open by default?
>
> Our GUI asks the user to change the password.
And suppose your GUI isn't supported on my OS?
>
> Release 3.0.2 onwards requires the user to enter the password
> to access any information via the console or telnet.
>
[--snip--]
Okay, here starts the recommendation for *admins*. This is exactly what I
was pointing out. Thanks for giving examples.
However, it has nothing to do with your product doing something bad in the
first place. Out of the box I can control your router.
Why don't you disable SNMP and telnet when a password isn't set like some
router companies? Or perhaps have the default password unique to each
machine...say the serial number and turn off SNMP completely? This would
limit the threat to those with physical access, and considering where most
aDSL's are found, i don't think it'd be a big problem. Half a dozen other
possible solutions spring to mind. Offline I'd be happy to discuss them
with you.
Incident response teams all over have noted that users with cable modems
have been targeted by some nefarious individuals. As aDSL moves into this
market, naturally the kiddies will want to take advantage of it. This is
the number one reason you, me, and every other aDSL user should be
concerned.
Cheers,
-db
> >
> > -----Original Message-----
> > From: David Brumley [SMTP:[email protected]]
> > Sent: Tuesday, April 13, 1999 11:02 PM
> > Subject: aDSL routers
> >
> > Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> > admin password. It's in the documentation, so I assume the
> > company already knows about this vulnerability:) System managers
> > who have aDSL access often overlook this, so I thought I'd point it out.
> > A quick fix: disable telnet access to all of your aDSL router IP's.
> > Better fix: set an admin password.
> >
> > Version tested:
> > FlowPoint/2000 ADSL Router
> > FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> > Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
> >
> > Cheers,
> > -db
> >
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 18:55:29 -0400
From: Chris Shenton <[email protected]>
To: [email protected]
Subject: Re: aDSL routers
On Tue, 13 Apr 1999 23:01:50 -0700, David Brumley <[email protected]> said:
David> And at least one manufacturer, flowpoint, sets no admin
David> password. It's in the documentation, so I assume the company
David> already knows about this vulnerability:) System managers who
David> have aDSL access often overlook this, so I thought I'd point it
David> out. A quick fix: disable telnet access to all of your aDSL
David> router IP's. Better fix: set an admin password.
I have a couple other concerns on my 2200 (firmware 3.0.2).
My carrier, Covad, did set a password but it's too easy. You can
restrict IP access to telnet like:
system addTelnetFilter first.host.ip.addr [last.host.ip.addr]
You should also do this for SNMP since it's available to the world
with community "public":
system addSNMPFilter first.host.ip.addr [last.host.ip.addr]
I restrict these to my LAN.
Have you tried an nmap scan on it? It reports "trivial joke" for TCP
sequence predictability. Should allow bad guys to hijack sessions.
Doubleplusungood. I've gotten no feedback from comp.dcom.xdsl or
[email protected].
If anyone has clues to protect this I'd like to hear 'em but I fear
it'll require new code and firmware from Flowpoint and they're not
being responsive.
------------------------------------------------------------------------
Date: Wed, 14 Apr 1999 11:40:10 -0700
From: Derek Vadala <[email protected]>
To: [email protected]
Subject: Re: aDSL routers
On Tue, 13 Apr 1999, David Brumley wrote:
> Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> admin password. It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
>
> Version tested:
> FlowPoint/2000 ADSL Router
> FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
>
Newer versions set password to "admin" by default. Since these routers are
sold through resellers (ISPs, etc..), they are not always identical when
the hit an end-user. Some resellers might change default passwords, some
may not.
In any case, this was discussed here last August, which ironically is the
period your build comes from. Changes have been made since then, including
implementation of a telnet password which must be entered before getting
the prompt and using the admin password (enable for IOS folks).
Unfortunately I don't know if the telnet password is set by default since
I went through an upgrade and not an out-of-box config.
The main problem I've had in dealing with FlowPoint security issues, of
which there are many, is the lack of information on their web site and the
nearly impossible task of getting a hold of their engineers. The software
releases and utilties can be found at ftp://ftp.systemv.com/pub/flopoint
I had to spend many hours tracking down a person for this info and I'm not
sure why they don't have a link on their home page. Don't expect too much
documentation on the ftp server, but at least you can grab a newer
revision of the software and settle some of these issues. Dropping telnet
access to the FP routers is probably a good idea regardless, though it's
not always an option.
+++ath
Derek Vadala, [email protected], http://www.cynicism.com/~derek
------------------------------------------------------------------------
Date: Thu, 15 Apr 1999 15:07:20 -0400
From: Chris Shenton <[email protected]>
To: [email protected]
Subject: Re: FlowPoint ADSL Reported Problem
I appreciate someone from Flowpoint joining this discussion; thanks.
Are there any plans to improve the TCP sequence predictability
problems? I can do something about the telnet/snmp access through the
CLI (and have), but I don't see any way to prevent sequence
exploits. I'm running 3.0.2.
Many thanks.
`