Re: (ASCEND) Ascend Router SNMP Security Issues [Q]

To: "Nolan W. Bailey, Jr." <nolan@cp-tel.net>, ascend-users@bungi.com
Subject: Re: (ASCEND) Ascend Router SNMP Security Issues [Q]
From: Jennifer Dawn Myers <jdm@enteract.com>
Date: Tue, 17 Mar 1998 14:00:29 -0600
In-Reply-To: <3.0.5.32.19980317104948.007fc550@cp-tel.net>
Newsgroups: enteract.private.lists.ascend-users
Organization: EnterAct, L.L.C.
Sender: owner-ascend-users@max.bungi.com

In enteract.private.lists.ascend-users, Nolan W. Bailey, Jr
<nolan@cp-tel.net> writes:

> Basically, the SNMP security issue is that some users leave the default
> Ascend read/write password set to public and write? Is that correct?

At issue is that an Ascend's entire configuration, including all
passwords in _cleartext_, can be had if the write community is
guessed. For many boxes, this guess will be easy, as they won't have
been configured away from the default write community of "write".

Ascend's reason for enabling SNMP by default, with default community
strings, appears in <http://www.ascend.com/2492.html>:

"What does this mean to you?
RMAs because of lost passwords are expensive and troublesome
for Ascend and our customers. If the router's administrator
has left the READ COMM string to the default of "public," or
has not disabled the R/W COMM, there is a way to retrieve the
Access Passwords with the Java Based Configurator."

(That document also urges people who are concerned about security to
change the defaults).

> Does SNMP Read access allow the user access to the "sysConfigTftp" option?

With read access, you can read the sysConfigTftp settings, but you
cannot change the values, or trigger a TFTP download. You need the
write community for that. (The Ascend quote above alludes that one
would be able to retrieve passwords with just the SNMP read community,
but I'm not aware of how this would be done).

The sysConfigTftp settings are documented in the Ascend MIB.

snwmpwalk -v 1 myrouter public .1.3.6.1.4.1.ascend.systemStatusGroup.sysConfigTftp.sysConfigTftpHostAddr

will, for example, display the address of the TFTP host (replace
"myrouter" with the hostname of the Ascend and "public" with the SNMP
read community) You might want to check this value to see if it
contains anything suspicious (if an attacker didn't clean up after his
tracks, it might contain the IP address he used to download your
configuration).

--
Jennifer Dawn Myers, Ph.D. <jdm@enteract.com>
Secure Networks, Inc.
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) Ascend Router SNMP Security Issues [Q]

From: William T Wilson <fluffy@dunadan.com>

Re: (ASCEND) Ascend Router SNMP Security Issues [Q]

From: Kit Knox <kit@connectnet.com>

References:

(ASCEND) Ascend Router SNMP Security Issues [Q]

From: nolan@cp-tel.net (Nolan W. Bailey, Jr.)

Prev by Date: Re: (ASCEND) ISDN w/o PRI?
Next by Date: Re: (ASCEND) Configuring Your filter(Revised)(PipeX)
Prev by thread: Re: (ASCEND) Ascend Router SNMP Security Issues [Q]
Next by thread: Re: (ASCEND) Ascend Router SNMP Security Issues [Q]
Index(es):
- Main
- Thread