Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Bay Networks Security Hole
From: Kirby_Dolak () BAYNETWORKS COM (Kirby Dolak)
Date: Thu, 14 May 1998 11:06:00 -0400

Marty, Thanks for your posting. I wanted to clarify a few of the points that
you made.  Most of the items are covered in standard Bay Router
Admin/Install doc
and are reinforced in router admin customer training.

1. To address security concerns, Bay has documented in the 'Quick Starting
Routers' manual,  that users initially configure the router using the Bay
Console (BCC).  Using the BCC requires the authorized user to consciously
all access related services. The BCC also provides the ability to define
policies for IP related protocols such as Telnet, FTP, TFTP, NTP, and SNMP.
BCC has been available for the Bay Networks Access Node router since BayRS

2. Bay recommends that both accounts (User and Manager) have passwords
assigned. Both have default/null passwords as they ship from the factory,
just like a Unix system.  The administrator should immediately take
measures to secure the system, at initial system install, so that an
unauthenticated user/manager doesn't have
access to device management information, such as the community names and
via telnet/console.

3.  As stated in your email Marty, the User account can access the
community name
 and its defined IP address.

        -Assuming that a User/hacker uses the community name and spoofs the
associated  IP address, that user could use Bay Networks Site Manager to
change IP filters or the device's configuration.

        -A User or any SNMP Management Appl can not edit the routing tables
        as they are learned and are read-only entries within the Bay MIB.

        -Due to the Bay specific method for instrumenting IP filters in the
router,         it would require a fair amount of reverse engineering to change
the filters
        from the Technicians Interface, and this would also require an authenticated
        Manager account not a User login.

        -Bay does provide as part of Site Manager and the BayRS, a proprietary
        security mode that can be enabled to prevent any unauthenticated SNMP
        manager from accessing the router and performing SNMP SETs.

        -To prevent the initial access to the router via Telnet, it is recommended
        that Telnet be disabled, or as previously mentioned, the initial
         can define specific IP access policies that enforce what addresses can be
        used for Telnet access or any other IP Global services like FTP, etc..

4. Bay does acknowledge that 'displaying' information on community names, etc.
can provide an additional information to a hacker.  For this reason Bay has
already made changes to restrict access to the community strings and designed
new applications such as the Router Embedded Web Server from allowing a User
account access to this SNMP information.

Kirby Dolak
Product Manager, Routing Products
Bay Networks, Inc.
kdolak () baynetworks com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]