Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: baynet6.htm

Bay Networks Backdoors



Vulnerability

    Bay Networks

Affected

    Bay Networks

Description

    Jan B. Koum found following.  More about the world of strings  and
    Bay  Networks  firmware  files.   Tested  were  some  bay networks
    switches and following have default password of "NetICs":

        BayStack 350T    HW:RevC  FW:V1.01 SW:V1.2.0.10
        BayStack 350T    HW:RevC  FW:V1.01 SW:V2.0.0.15
        BayStack 350T-HD HW:RevA  FW:V1.03 SW:V2.0.2.1  (24 port)
        BayStack 350T    HW:RevC  FW:V1.00 SW:V2.0.2.1  (16 port)
        BayStack 350T HW:RevC  FW:V1.01 SW:V1.03 (16port)

    These however is not the case with:

        BayStack 350-24T HW:RevA  FW:V1.04 SW:V1.0.0.2
        Bay Networks BayStack 303 Ethernet Switch
        BayStack 28115/ADV Fast Ethernet Switch

    If you have firmware images for the above, just

        % strings *.img | grep -B5 "Invalid Password"

    Something similar to this command might give you the passwd.

Solution

    The Bay Networks case number for this bug/oversight is: 990310-614
    Normally "backdoor" passwords  on Bay gear  only work through  the
    console.   This was  fixed in  version 2.0.3.4  of the  BS350 code
    last November.   The backdoor is  still there for  console access,
    but not for telnet.  This problem only affected the Baystack  350T
    and 350F, it did not affect  the 350-24T or 450.  Also,  note that
    the  350  has  always  had  the  ability to limit telnet logins to
    certain source addresses; it  is recommended that that  feature be
    used.  Software upgrades for the 350 can be found at

        http://support.baynetworks.com under Software

    If  you  don't  have  a  support  contract,  call  (800)  2LANWAN.
    Regardless of  the existence  of backdoors  it is  a good  idea to
    limit who can connect to  your equipment over the network.   These
    BayStack switches have a "TELNET Configuration..." menu where  you
    can turn off telnet access  and/or limit the IP addresses  who are
    allowed to telnet in.   While you're there you should  secure your
    SNMP,  which  is  another  item  commonly  left  wide  open   (any
    networking equipment, not just Bay).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH