OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: Bay Networks Security Hole

Re: Bay Networks Security Hole

Berislav Todorovic (BERIETF.BG.AC.YU)
Fri, 15 May 1998 19:53:00 +0100

Kirby Dolak wrote:

>> 2. Bay recommends that both accounts (User and Manager) have passwords
>> assigned. Both have default/null passwords as they ship from the factory,
>> just like a Unix system.  The administrator should immediately take
>> measures to secure the system, at initial system install, so that an
>> unauthenticated user/manager doesn't have
>> access to device management information, such as the community names and
>> addresses via telnet/console.

Gert Doering wrote:

>> I like the way Cisco approaches this issue.
>> And if you are logged in to an unprivileged account, you cannot become
>> superuser unless you have already set the enable password from the console.
>>
>> This is VERY good.
>>
>> No need to "recommend" anything, it's just "secure out of the box".  If
>> you neglect to configure the password, it just isn't accessible at all
>> (except from the physical console).

Sounds reasonable to me to apply good password on User/Manager accounts and
thus secure the box. I'm wondering, however, what's the real raison d'etre
of two privilege levels, if I can obtain a more privileged information from
a higher-privileged level. The basic function of a non-privileged level is
to give it to the remote support officer, ISP engineer or to a responsible
person from the network peering with my network, according to the ripe-037
document.

Well, I also wouldn't like to recommend anything, but here are the facts:
Cisco IOS gives the possibility to define up to 16 different privilege
levels, with strictly defined rights. IOS, further, allows to define a
restricted set of commands, which may be executed from each privilege
level. I can, thus, give this type of access to the peering ISP personnel
for the purpose of monitoring without any fear ... At last - try to telnet
to route-views.oregon-ix.net - a Cisco box with public access! No password!

Now, what to do with a Bay box, located in the middle of a network? Sit and
cry! When your peer ISP asks you to take a look at your router config,
you'll have to log into it yourself and read them (oops, sorry - not to
"log in" - you'll have to start a "user-friendly" SNMP client, drink a
coffee until it brings itself up completely, then click, click, click ...).

I can talk about fun with Bay routers for hours, but that's another story.

Best regards,
Beri

.-------.
| --+-- |  Berislav Todorovic, B.Sc.E.E.     | E-mail: BERIetf.bg.ac.yu
|  /|\     Hostmaster of the YU TLD          |
|-(-+-)-|  School of Electrical Engineering  | Phone:  (+381-11) 3221-419
|  \|/     Bulevar Revolucije 73             |                   3370-106
| --+-- |  11000 Belgrade SERBIA, YUGOSLAVIA | Fax:    (+381-11) 3248-681
`-------' --------------------------------------------------------------------