lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 21 Jun 2005 03:41:25 +0200 (CEST)
From: Jacek Lipkowski <sq5bpf@...ra.com.pl>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Undocumented account vulnerability in Enterasys
 Vertical Horizon switches


1. Problem Description

An undocumented account with a default password exists, additionally guest 
users can DoS the switch.

2. Tested systems

The following versions were tested and found vulnerable:

Vertical Horizon VH-2402S with firmware 02.05.00
Vertical Horizon VH-2402S with firmware 02.05.09.07

All publically software versions before 2.05.09.08 are assumed to be 
vulnerable. Additionally firmware for other Vertical Horizon switches has 
been released on similar dates and according to the release notes the 
vulnerability might be also present there.

3. Details

The undocumented account is user tiger with password tiger123

Additionally there are some debug commands available to all users after 
pressing ctrl-f, ctrl-b, ctrl-g or ctrl-l when logged in via the serial 
console or telnet. The write commands available after pressing ctrl-g 
can be harmful to the switch - allowing any valid user including 
guest user to remotely disable the switch.

4. Recommendations

As always it is good administrative practice to block access to 
administrative interfaces (telnet, web, snmp) at the firewall. Upgrading 
to firmware version 02.05.09.08 solves both problems: the undocumented
account is removed and the debug commands are only avaliable to users
with administrative privlidges.


5. Vendor status

Enterasys was informed on Mar 8 2005. The vendor responded on Mar 10 2005. 
The fixed software is available from the Enterasys 
support site http://www.enterasys.com/download/download.cgi?lib=vh
since June 16 2005. Unfortunately the vendor doesn't want to follow the
route of responsible full disclosure by not giving the researcher 
proper credit.

6. Disclaimer

Neither I nor my employer is responsible for the use or misuse of
information in this advisory.  The opinions expressed are my own and not
of any company.  Any use of the information is at the user's own risk.


Jacek Lipkowski
sq5bpf at andra com pl

Andra Co. Ltd.
ul Pryzmaty 6/8
02-226 Warsaw, Poland
http://www.andra.com.pl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ