I have come across what seems to be a security problem in CBOS 2.4.2
(perhaps 2.4.1 also?), and I would like some verification before I get too
excited about it. The problem relates to the serial port idle timeout, and
may similarly affect the telnet timeout; this I haven't tested.

Problem: When the serial port session timeout is set to 300 seconds (5
minutes), which appears to have been the default on my 675 since CBOS
2.0.X, the serial port session NEVER times out. If you count on serial
timeout to re-secure the serial console, you have a secutiry issue. 

How I discovered this: I logged onto my 675 serial console today, and was
not prompted for a password. It was still in 'enable' mode (#) from my
last session, the one which I began immediately after upgrading from CBOS
2.4.1 to CBOS 2.4.2. I never noticed this behavior with any CBOS prior to
2.4.2, but that doesn't mean it's not there. 

Temporary workaround: I found that setting the serial port timeout to 100
(1 minute, 40 seconds) allows the serial console to timeout normally. I am
not sure at which setting above 100 the timeout begins to fail. Also,
logging out with 'exit' or 'quit' will also re-secure the console.

Can a few of you with a 675 -AND- CBOS 2.4.2 please check the following:

1) That your serial console timeout is set to 300 seconds by default
(cbos# show serial)

2) That when set for 300 seconds, the serial console never times out (or,
at least doesn't time out in 300 seconds (5 minutes))

3) That when set to 100 seconds or less, the serial console times out
correctly.
(cbos# set serial timeout 100)

Thanks,

                           -.bill.layer.-
                          
-.those who are talking don't know, and those who know aren't talking.-

           -.frogtown.-     -.minnesota.-      -.u.s.a.-