COMMAND

    aSDL routers, USWest's Cisco 675

SYSTEMS AFFECTED

    aSDL routers, USWest's Cisco 675

PROBLEM

    David  Brumley  found  following.   At  least  one   manufacturer,
    flowpoint, sets no admin password.  Version tested:

        FlowPoint/2000 ADSL Router
        FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
        Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998

    This is also  true on USWest's  Cisco 675.   Password is (hit  the
    enter key)...  However, all  ISP's using Cisco 675's are  set into
    bridging mode, which doesn't allow any remote access to the  Cisco
    675, save the serial cable.  Older USWest equipment, the  Netspeed
    202  and  204,  used  a  default  user  name  (root) and a default
    password is (hit the Enter key)...  For both routers, the Netspeed
    and  Cisco,  the  default  password/login  is  listed right in the
    manual, for anyone to see.

    Chris Shenton had couple other concerns on 2200 (firmware  3.0.2).
    His carrier, Covad, did  set a password but  it's too easy.   SNMP
    it's available  to the  world with  community "public".   Have you
    tried an  nmap scan  on it?   It reports  "trivial joke"  for  TCP
    sequence  predictability.   Should   allow  bad  guys  to   hijack
    sessions.

SOLUTION

    It's in the  documentation, so we  can assume the  company already
    knows about this  vulnerability.  Like  most routers on  networks,
    access should be  restricted with access  control lists.   You can
    set this by  using 'system addTelnetFilter'  and specifying an  IP
    range.  Newer versions set password to "admin" by default.   Since
    these routers are sold  through resellers (ISPs, etc..),  they are
    not always  identical when  the hit  an end-user.   Some resellers
    might  change  default  passwords,  some  may  not.   The software
    releases and utilties can be found at:

        ftp://ftp.systemv.com/pub/flopoint

    Release 3.0.2 onwards requires the  user to enter the password  to
    access any information via the console or telnet.  Access  control
    to the  router via  telnet and  snmp can  be controlled via access
    lists using the command:

        system addtelnetfilter <IP Addresses>
        system addsnmpfilter <IP Addresses>

    The SNMP Community name can be  changed as well as the ports  used
    to access Telnet and SNMP.  In addition, access to the router  via
    SNMP and Telnet can be turned off.  The commands:

        system telnetport <Port No>
        system snmpport <Port No>

    A <Port No> of 0 stops access  to the router.  In addition, an  IP
    Filtering  package  similar  to  the  Linux Firewall capability is
    available as an option.