Re: FlowPoint DSL router vulnerability
Verified using tcpdump, the flowpoint configuration manager indeed does use SNMP to communicate, hence the simple solution would be turn off SNMP [And telnet] (you shouldn't be running this if you don't need to anyway). Although it does discourage me that even after I flashed my router to v3.0.8, the login prompt [for Telnet]does not disconnect me after a certain number of retries (3, like Cisco IOS, would be a decent number). Regards, Chris J Burris IntraACTIVE, Inc. http://www.intraactive.com/ +1 202 822 3999 On Tue, 10 Aug 1999, Scott Drassinower wrote: Brute force, as it is not likely you will know what the number is without physical access to the router. If you were to block telnet and snmp access to the router, then you probably would only have to worry about access via the console port. I think that FlowPoint's graphical admin tools use snmp, but if they don't, you'll have to figure out how to block those as well. -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc. White Plains, NY +1 914 696-4000 http://www.cloud9.net On Tue, 10 Aug 1999, Eric Budke wrote: At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. So the vulnerability is essentially a brute force against telnet/snmp? Assuming you filter those out, is there another way of accessing? -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000http://www.cloud9.net On Thu, 5 Aug 1999, Matt wrote: The following URL contains information about a firmware upgrade for FlowPoint DSL routers that fixes a possible "security compromise". FlowPoint has chosen not to release ANY information whatsoever about the vulnerability. I was curious if anyone had any more information about this vulnerability than what FlowPoint is divulging. http://www.flowpoint.com/support/techbulletin/sec308.htm thnx -- I'm not nice, I'm vicious--it's the secret of my charm. -- PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
Re: FlowPoint DSL router vulnerability
solution to this 'vulnerability'? ...first addTelnetFilter xxx.xxx.xxx.xx1 xxx.xxx.xxx.xxL ...then addSMTPFilter xxx.xxx.xxx.xx1 xxx.xxx.xxx.xxL -where ...1 is the starting IP of your LAN -and ...L is the LAST address locally - no public access? At 07:19 AM 8/10/99 -0400, you wrote: At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. So the vulnerability is essentially a brute force against telnet/snmp? Assuming you filter those out, is there another way of accessing? -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000 http://www.cloud9.net On Thu, 5 Aug 1999, Matt wrote: The following URL contains information about a firmware upgrade for FlowPoint DSL routers that fixes a possible "security compromise". FlowPoint has chosen not to release ANY information whatsoever about the vulnerability. I was curious if anyone had any more information about this vulnerability than what FlowPoint is divulging. http://www.flowpoint.com/support/techbulletin/sec308.htm thnx -- I'm not nice, I'm vicious--it's the secret of my charm. -- PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
Re: FlowPoint DSL router vulnerability
Scott Drassinower [EMAIL PROTECTED] probably said: Brute force, as it is not likely you will know what the number is without physical access to the router. You can find out the serial number from the firmware, so if you have a legitimate connection to the router you could later (with the ability to enable the password recovery feature) get access back. If you were to block telnet and snmp access to the router, then you probably would only have to worry about access via the console port. I think that FlowPoint's graphical admin tools use snmp, but if they don't, you'll have to figure out how to block those as well. You can turn off SNMP and/or telnet or only allow either from specific hosts, which is explained in the CLI manual (I don't use the GUI but it is presumably explained there too - the manuals seem quite good about saying you need to set/change passwords and turn things off). At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. At least on my (fairly recent) flowpoint the password recovery feature is only usable after pressing a recessed button on the back of the unit and then only for 10 minutes. A reasonable compromise between requiring physical access and not taking the router out of service, I thought. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. So the vulnerability is essentially a brute force against telnet/snmp? Assuming you filter those out, is there another way of accessing? The 6 digit serial number for a password is only in use if you enable the password recovery feature (when I first found out about the recovery feature I tested the serial number as a password normally and it didn't allow access), so even if you have telnet access it isn't usually enabled. Even without the firewall feature set (which costs more) you can decide which hosts can access telnet or SNMP. Doesn't seem like much of a vunerability, so I'd guess theres more to it than that or it was only a problem on the older hardware. P. -- pir [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: FlowPoint DSL router vulnerability
Brute force, as it is not likely you will know what the number is without physical access to the router. If you were to block telnet and snmp access to the router, then you probably would only have to worry about access via the console port. I think that FlowPoint's graphical admin tools use snmp, but if they don't, you'll have to figure out how to block those as well. -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000http://www.cloud9.net On Tue, 10 Aug 1999, Eric Budke wrote: At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. So the vulnerability is essentially a brute force against telnet/snmp? Assuming you filter those out, is there another way of accessing? -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000http://www.cloud9.net On Thu, 5 Aug 1999, Matt wrote: The following URL contains information about a firmware upgrade for FlowPoint DSL routers that fixes a possible "security compromise". FlowPoint has chosen not to release ANY information whatsoever about the vulnerability. I was curious if anyone had any more information about this vulnerability than what FlowPoint is divulging. http://www.flowpoint.com/support/techbulletin/sec308.htm thnx -- I'm not nice, I'm vicious--it's the secret of my charm. -- PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
Re: FlowPoint DSL router vulnerability
At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. So the vulnerability is essentially a brute force against telnet/snmp? Assuming you filter those out, is there another way of accessing? -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000http://www.cloud9.net On Thu, 5 Aug 1999, Matt wrote: The following URL contains information about a firmware upgrade for FlowPoint DSL routers that fixes a possible "security compromise". FlowPoint has chosen not to release ANY information whatsoever about the vulnerability. I was curious if anyone had any more information about this vulnerability than what FlowPoint is divulging. http://www.flowpoint.com/support/techbulletin/sec308.htm thnx -- I'm not nice, I'm vicious--it's the secret of my charm. -- PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
Re: FlowPoint DSL router vulnerability
It involves a bug that allows a password recovery feature to be utilized from the LAN or WAN instead of just the serial console port. Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will allow you to get access to the box to do whatever you want. It appears as if the problem started in 3.0.4, but I am not totally certain about that. -- Scott M. Drassinower [EMAIL PROTECTED] Cloud 9 Consulting, Inc.White Plains, NY +1 914 696-4000http://www.cloud9.net On Thu, 5 Aug 1999, Matt wrote: The following URL contains information about a firmware upgrade for FlowPoint DSL routers that fixes a possible "security compromise". FlowPoint has chosen not to release ANY information whatsoever about the vulnerability. I was curious if anyone had any more information about this vulnerability than what FlowPoint is divulging. http://www.flowpoint.com/support/techbulletin/sec308.htm thnx -- I'm not nice, I'm vicious--it's the secret of my charm.