COMMAND
Bay Networks
SYSTEMS AFFECTED
Bay Networks
PROBLEM
Jan B. Koum found following. More about the world of strings and
Bay Networks firmware files. Tested were some bay networks
switches and following have default password of "NetICs":
BayStack 350T HW:RevC FW:V1.01 SW:V1.2.0.10
BayStack 350T HW:RevC FW:V1.01 SW:V2.0.0.15
BayStack 350T-HD HW:RevA FW:V1.03 SW:V2.0.2.1 (24 port)
BayStack 350T HW:RevC FW:V1.00 SW:V2.0.2.1 (16 port)
BayStack 350T HW:RevC FW:V1.01 SW:V1.03 (16port)
These however is not the case with:
BayStack 350-24T HW:RevA FW:V1.04 SW:V1.0.0.2
Bay Networks BayStack 303 Ethernet Switch
BayStack 28115/ADV Fast Ethernet Switch
If you have firmware images for the above, just
% strings *.img | grep -B5 "Invalid Password"
Something similar to this command might give you the passwd.
SOLUTION
The Bay Networks case number for this bug/oversight is: 990310-614
Normally "backdoor" passwords on Bay gear only work through the
console. This was fixed in version 2.0.3.4 of the BS350 code
last November. The backdoor is still there for console access,
but not for telnet. This problem only affected the Baystack 350T
and 350F, it did not affect the 350-24T or 450. Also, note that
the 350 has always had the ability to limit telnet logins to
certain source addresses; it is recommended that that feature be
used. Software upgrades for the 350 can be found at
http://support.baynetworks.com under Software
If you don't have a support contract, call (800) 2LANWAN.
Regardless of the existence of backdoors it is a good idea to
limit who can connect to your equipment over the network. These
BayStack switches have a "TELNET Configuration..." menu where you
can turn off telnet access and/or limit the IP addresses who are
allowed to telnet in. While you're there you should secure your
SNMP, which is another item commonly left wide open (any
networking equipment, not just Bay).