Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(ASCEND) Ascend Router SNMP Security Issues [Q]
Basically, the SNMP security issue is that some users leave the default
Ascend read/write password set to public and write? Is that correct?
Or, is there another danger that I'm missing out on here...?
Does SNMP Read access allow the user access to the "sysConfigTftp" option?
Or, is that a SNMP write function?
Thanks in advance...
At 01:51 PM 3/16/98 -0700, Secure Networks Inc. wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
><snip>
>DESCRIPTION of SNMP SECURITY ISSUE
>
>Ascend routers are manageable by the SNMP protocol. Ascend's SNMP support
>includes the ability to read and write MIB variables. Ascend's SNMP system
>is protected by the SNMP community definitions, which act as passwords for
>SNMP access. By default, the SNMP "read" password is "public", and the
>SNMP "write" password is "write". An attacker that can guess the SNMP
>"read" community can read arbitrary MIB variables, and an attacker that
>can guess the "write" community can set arbitrary MIB variables to new
>values.
>
>Ascend provides a vendor-specific extension MIB. This MIB includes
>variables specific to Ascend equipment. Among these variables is a group
>of settings called "sysConfigTftp", which allow the configuration of the
>router to be manipulated via the TFTP protocol. By writing to these
>variables with SNMP "set" messages, an attacker can download the entire
>configuration of the Ascend router.
>
>The full configuration of an Ascend router includes the telnet password
>(knowledge of which allows an attacker to gain telnet access to the Ascend
>menu interface), all the enhanced access passwords (allowing an attacker
>to reconfigure the router from the menu interface), network protocol
>authentication keys (including RADIUS and OSPF keys), usernames and
>passwords for incoming connections, and usernames, passwords, and dial-up
>phone numbers for outgoing connections. All of this information is in
>plaintext.
>
>An attacker with full access to an Ascend router can also use it to
>"sniff" the networks it is attached to. Ascend routers have an extensive
>(and largely undocumented) debugging interface; functions are included in
>this interface to obtain hexadecimal dumps of raw Ethernet, ISDN, DS1, and
>modem traffic.
>
>-
-----------------------------------------------------------------------------
>
>VULNERABLE SYSTEMS
>
>These issues are known to be relevant to Ascend Pipeline and MAX
>networking equipment. These vulnerabilities have been confirmed in
>Ascend's operating system at version 5.0Ap42 (MAX) and 5.0A (Pipeline).
>
>Ascend's 6.0 operating system disables SNMP "write" access by default.
>Previous versions of the software enable SNMP "write" access with a
>default community of "write".
>
>-
-----------------------------------------------------------------------------
>
>RESOLUTION
>
>The denial-of-service issue detailed in this advisory is due to an
>implementation flaw in Ascend's software. While no immediate fix is
>available, it is possible to work around this problem by filtering out
>packets to the UDP discard port (9).
>
>Because SNMP "write" access on an Ascend router is equivalent to complete
>administrative access, it is very important that the community chosen is
>hard to guess. Deployed Ascend equipment should be checked to ensure that
>default (or easily guessed) communities are not in use.
>
>The SNMP configuration of an Ascend router is available through the
>menuing system, as "Ethernet...Mod Config...SNMP Options...".
>
>-
-----------------------------------------------------------------------------
>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
Follow-Ups:
References: