(ASCEND) Ascend Router SNMP Security Issues [Q]
no...@cp-tel.net
Basically, the SNMP security issue is that some users leave the default
Ascend read/write password set to public and write? Is that correct?
Or, is there another danger that I'm missing out on here...?
Does SNMP Read access allow the user access to the "sysConfigTftp" option?
Or, is that a SNMP write function?
Thanks in advance...
At 01:51 PM 3/16/98 -0700, Secure Networks Inc. wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
><snip>
>DESCRIPTION of SNMP SECURITY ISSUE
>
>Ascend routers are manageable by the SNMP protocol. Ascend's SNMP support
>includes the ability to read and write MIB variables. Ascend's SNMP system
>is protected by the SNMP community definitions, which act as passwords for
>SNMP access. By default, the SNMP "read" password is "public", and the
>SNMP "write" password is "write". An attacker that can guess the SNMP
>"read" community can read arbitrary MIB variables, and an attacker that
>can guess the "write" community can set arbitrary MIB variables to new
>values.
>
>Ascend provides a vendor-specific extension MIB. This MIB includes
>variables specific to Ascend equipment. Among these variables is a group
>of settings called "sysConfigTftp", which allow the configuration of the
>router to be manipulated via the TFTP protocol. By writing to these
>variables with SNMP "set" messages, an attacker can download the entire
>configuration of the Ascend router.
>
>The full configuration of an Ascend router includes the telnet password
>(knowledge of which allows an attacker to gain telnet access to the Ascend
>menu interface), all the enhanced access passwords (allowing an attacker
>to reconfigure the router from the menu interface), network protocol
>authentication keys (including RADIUS and OSPF keys), usernames and
>passwords for incoming connections, and usernames, passwords, and dial-up
>phone numbers for outgoing connections. All of this information is in
>plaintext.
>
>An attacker with full access to an Ascend router can also use it to
>"sniff" the networks it is attached to. Ascend routers have an extensive
>(and largely undocumented) debugging interface; functions are included in
>this interface to obtain hexadecimal dumps of raw Ethernet, ISDN, DS1, and
>modem traffic.
>
>-
-----------------------------------------------------------------------------
>
>VULNERABLE SYSTEMS
>
>These issues are known to be relevant to Ascend Pipeline and MAX
>networking equipment. These vulnerabilities have been confirmed in
>Ascend's operating system at version 5.0Ap42 (MAX) and 5.0A (Pipeline).
>
>Ascend's 6.0 operating system disables SNMP "write" access by default.
>Previous versions of the software enable SNMP "write" access with a
>default community of "write".
>
>-
-----------------------------------------------------------------------------
>
>RESOLUTION
>
>The denial-of-service issue detailed in this advisory is due to an
>implementation flaw in Ascend's software. While no immediate fix is
>available, it is possible to work around this problem by filtering out
>packets to the UDP discard port (9).
>
>Because SNMP "write" access on an Ascend router is equivalent to complete
>administrative access, it is very important that the community chosen is
>hard to guess. Deployed Ascend equipment should be checked to ensure that
>default (or easily guessed) communities are not in use.
>
>The SNMP configuration of an Ascend router is available through the
>menuing system, as "Ethernet...Mod Config...SNMP Options...".
>
>-
-----------------------------------------------------------------------------
>
++ Ascend Users Mailing List ++
To unsubscribe: send unsubscribe to ascend-use...@bungi.com
To get FAQ'd: <http://www.nealis.net/ascend/faq>
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, Nolan W. Bailey, Jr. wrote:
| Basically, the SNMP security issue is that some users leave the default
| Ascend read/write password set to public and write? Is that correct?
Yes, this is correct. Although even if changed to non-defaults, SNMP
community strings are sent cleartext. A lot of people don't even know how
to set a telnet pw, let alone change their SNMP defaults. You would be
amazed at how many people have it left at "public" and "write".
| Does SNMP Read access allow the user access to the "sysConfigTftp" option?
| Or, is that a SNMP write function?
No. It is a write function. Anyone with CMU's snmpset, a tftp server,
and a copy of the ascend mib file can exploit this.
-Kit
owner-asc...@max.bungi.com
In enteract.private.lists.ascend-users, Nolan W. Bailey, Jr
<no...@cp-tel.net> writes:
> Basically, the SNMP security issue is that some users leave the default
> Ascend read/write password set to public and write? Is that correct?
At issue is that an Ascend's entire configuration, including all
passwords in _cleartext_, can be had if the write community is
guessed. For many boxes, this guess will be easy, as they won't have
been configured away from the default write community of "write".
Ascend's reason for enabling SNMP by default, with default community
strings, appears in <http://www.ascend.com/2492.html>:
"What does this mean to you?
RMAs because of lost passwords are expensive and troublesome
for Ascend and our customers. If the router's administrator
has left the READ COMM string to the default of "public," or
has not disabled the R/W COMM, there is a way to retrieve the
Access Passwords with the Java Based Configurator."
(That document also urges people who are concerned about security to
change the defaults).
> Does SNMP Read access allow the user access to the "sysConfigTftp" option?
With read access, you can read the sysConfigTftp settings, but you
cannot change the values, or trigger a TFTP download. You need the
write community for that. (The Ascend quote above alludes that one
would be able to retrieve passwords with just the SNMP read community,
but I'm not aware of how this would be done).
The sysConfigTftp settings are documented in the Ascend MIB.
snwmpwalk -v 1 myrouter public .1.3.6.1.4.1.ascend.systemStatusGroup.sysConfigTftp.sysConfigTftpHostAddr
will, for example, display the address of the TFTP host (replace
"myrouter" with the hostname of the Ascend and "public" with the SNMP
read community) You might want to check this value to see if it
contains anything suspicious (if an attacker didn't clean up after his
tracks, it might contain the IP address he used to download your
configuration).
--
Jennifer Dawn Myers, Ph.D. <j...@enteract.com>
Secure Networks, Inc.
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, Jennifer Dawn Myers wrote:
| Ascend's reason for enabling SNMP by default, with default community
| strings, appears in <http://www.ascend.com/2492.html>:
|
| "What does this mean to you?
| RMAs because of lost passwords are expensive and troublesome
| for Ascend and our customers. If the router's administrator
| has left the READ COMM string to the default of "public," or
| has not disabled the R/W COMM, there is a way to retrieve the
| Access Passwords with the Java Based Configurator."
Well there is another workaround for this which I use all of the time.
You can open up the Pipeline, insert a jumper, connect at 57600 and clear
the flash then upload via xmodem new code into the box. It is as good as
new. Perhaps Ascend should make the details of this more public instead.
Why doesn't Ascend just do like other hardware vendors. Have a hardware
switch, which when toggled enables a challenge response system on the
system console only which may be used to reset the password after a call
to Ascend.
-Kit
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, Kit Knox wrote:
> Well there is another workaround for this which I use all of the time.
> You can open up the Pipeline, insert a jumper, connect at 57600 and clear
> the flash then upload via xmodem new code into the box. It is as good as
> new. Perhaps Ascend should make the details of this more public instead.
The excuse I got was "It voids the warranty on the unit it's performed
on," though I was told how to do so by an Ascend tech over the phone when
I was in a spot a few years ago. He made me swear not to tell anyone it.
> Why doesn't Ascend just do like other hardware vendors. Have a hardware
You could apply that phrase to so many aspects of Ascend. I think they've
gone out of their way to not be like other hardware vendors, and in doing
so they've alienated themselves from the better aspects of those
companies. Most notable of all would be reliability, though that has
improved.
> switch, which when toggled enables a challenge response system on the
> system console only which may be used to reset the password after a call
> to Ascend.
It'd still take you 5 hours for a callback, service contract or no service
contract. :)
> -Kit
Joe Shaw - js...@insync.net
NetAdmin - Insync Internet Services
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, Jennifer Dawn Myers wrote:
> "What does this mean to you?
> RMAs because of lost passwords are expensive and troublesome
> for Ascend and our customers. If the router's administrator
They should just put a switch on the unit that resets the passwords to the
default, then. Or at the least, the functionality should be restricted to
the console port.
This facility will only work if the user has left his SNMP strings at the
default, which no security-conscious user will do. If you leave your SNMP
strings at the default, you may as well leave your access levels without
passwords too and eliminate the issue altogether.
It's kind of nice to be able to get the passwords out of the unit in
cleartext (for example, moving users from password profiles to RADIUS) but
I'd just as soon be able to just see them if I am logged in with "full
access".
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, Joe Shaw wrote:
> switch, which when toggled enables a challenge response system on the
> system console only which may be used to reset the password after a call
> to Ascend.
I don't see the need to get a call to ascend involved here. If the user
has physical access to the unit, then it effectively belongs to them
already. You can't have meaningful network security unless you have
physical security too. Push the button and reset the passwords and be
done with it.
owner-asc...@max.bungi.com
On Tue, 17 Mar 1998, William T Wilson wrote:
> On Tue, 17 Mar 1998, Jennifer Dawn Myers wrote:
>
> > "What does this mean to you?
> > RMAs because of lost passwords are expensive and troublesome
> > for Ascend and our customers. If the router's administrator
>
> They should just put a switch on the unit that resets the passwords to the
> default, then. Or at the least, the functionality should be restricted to
> the console port.
Just my $.02 worth, but the Baynetworks, Cisco, nor 3COM products
that I own, have any neat such feature, and I really don't like any reset
buttons that the local TELCO persons can mess with for our co-located
equipment. Same reason they don't have power switches :)
Craig
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Craig Salmond mailto:cr...@cde.com
Craig's DATA Exchange! http://www.cde.com
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shipping Address Billing Address
Craig's DATA Exchange! (352) 735-2331 Sales Craig's DATA Exchange!
18826 U.S. HWY 441 (352) 735-9511 FAX P.O. Box 1401
Mt. Dora, FL 32757 (352) 742-1515 DIAL-UP Mt. Dora, FL 32756
"Lake County's Internet Authority"
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
owner-asc...@max.bungi.com
Not particularly true with the Ascend gear, even physical access to a box
doesn't mean that you have access or can gain access to their gear. hell
just look at how many people email here about losing passwords and not
being able to achieve access to the box.
Jason Nealis
Director Internet Operations
Network Access
Erols Internet
On Tue, 17 Mar 1998, William T Wilson wrote:
> On Tue, 17 Mar 1998, Joe Shaw wrote:
>
> > switch, which when toggled enables a challenge response system on the
> > system console only which may be used to reset the password after a call
> > to Ascend.
>
> I don't see the need to get a call to ascend involved here. If the user
> has physical access to the unit, then it effectively belongs to them
> already. You can't have meaningful network security unless you have
> physical security too. Push the button and reset the passwords and be
> done with it.
>
>
owner-asc...@max.bungi.com
On Wed, 18 Mar 1998, Jason Nealis wrote:
> Not particularly true with the Ascend gear, even physical access to a box
> doesn't mean that you have access or can gain access to their gear. hell
But it shouldn't be this way. :) For example, a BAD guy with physical
access to the box can unplug your cables, maybe connect your V.35 port to
a sniffer device, pull the power cord out, install external ethernet
sniffers, do all kinds of bad things. But the legitimate owner cannot
reset the root password? It is suboptimal. :)