Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: [In]security in USR TotalSwitch

Re: [In]security in USR TotalSwitch

Lou Anschuetz (louZAPHOD.ECE.CMU.EDU)
Mon, 21 Dec 1998 09:39:22 -0500

> I searched the archives, with no luck finding anything about this.
> Recently a bunch of USR TotalSwitch (chassis which takes 5 cards, 10 / 100 /
> fddi / whatever, and a network management card) units went up for auction,
> and I know a lot of people purchased them, hence my concern.
> The switch is managable via snmp, telnet or a console port.  Using the
> management features, you can disable / enable certain ports, configure IP
> routes and such.  The management software allows you to set a password to
> access the switch (either by telnet or the console).
> Of course, there is a back-door so techs could reset or debug the unit if
> they didn't have the password.  Unfortunately, this backdoor is not limited
> to the console port like it should be.  It is possible to telnet to the
> switch, enter a "secret code" (which is readily available, for everyone's
> sake I won't give it out here) and do a memory dump to see the plaintext
> password.
> Solution:  3COM - limit this functionality to the console port ONLY.
> End-user - add an access list to filter telnet to your switch's IP address
> from outside your network.
> P.S. If anyone knows where to get the 100btx cards for this thing, please
> e-mail me!
> Reguards,
3COM did put out a patch for this, though it was rather quietly -
it also effects all CoreBuilder switches. Fortunately, I only buy
un-managed 3COM stuff. Everything that is a switch (or above) is

Lou Anschuetz, louece.cmu.edu
Network Manager, ECE, Carnegie Mellon University