Nortel CVX-1800 Multi-service Access Switch Discloses Administrative Account Names and Passwords to Remote Users
|
|
SecurityTracker Alert ID: 1004040
|
|
CVE Reference: CAN-2002-0540
(Links to External Site)
|
Updated: Jan 23 2004
|
Original Entry Date: Apr 15 2002
|
Impact: Disclosure of authentication information
|
Exploit Included: Yes
|
Version(s): CVX 1800, 3.6.3p24 and 3.6.3p5
|
Description: An information disclosure vulnerability was reported in Nortel's CVX-1800 mulit-service access switch (modem bank). In the default configuration, a remote user can obtain certain account names and passwords from the system.
It is reported that a remote user can query the device via SNMP to obtain the user names and passwords for all locally configured
telnet accounts. These are apparently the accounts used to configure the CVX itself and not the user names and passwords of dial-up
users serviced by the device.
The following 'snmpwalk' command can reportedly be used:
snmpwalk CVX-IP-ADD-RESS public .1
The
vendor has reportedly been notified.
|
Impact: A remote user can obtain user account names and passwords for locally configured telnet accounts.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided the following recommendation:
"Change your SNMP community string to something other than it's default value of public."
|
Vendor URL: www.nortelnetworks.com/products/01/cvx/cvx_1800/ (Links to External Site)
|
Cause: Access control error
|
Reported By: Michael Rawls <bugtraq@shadowstorm.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 12 Apr 2002 17:04:20 -0700
From: Michael Rawls <bugtraq@shadowstorm.com>
Subject: Nortel CVX 1800s will dump all local user names and passwords
|
The Nortel CVX 1800 is a modem bank containing up to 2600 modems per box.
Many ISP's are using them for their dial-up customers.
While querying the CVX-1800 for SNMP codes to use in a modem statistics
program I was writing, I discovered the CVX-1800 will spill out all user
names and passwords in clear text for locally configured telnet accounts.
These are the accounts used to configure the CVX itself, and not the user
names and passwords of dialed up users.
To retrieve the information under Linux I used the following command syntax;
snmpwalk CVX-IP-ADD-RESS public .1
If you have a Nortel CVX-1800 and you have not changed your SNMP community
string to something other than public, you are vulnerable to anyone who can
reach the box including the dial-up users. Do not assume dial-up users
cannot determine the IP address of the CVX. Typing "route" on a Linux box
dialed up to the CVX will display the IP address of the CVX as the default
gateway. Windows will show it's assigned dial-up IP address as the default
gateway.
I notified Nortel Support of my find back in February of this year. The
CVX-1800 software versions I tested this on was 3.6.3p24 and 3.6.3p5.
Fix: Change your SNMP community string to something other than it's default
value of public.
-Michael Rawls
|
|
