COMMAND

    N-Base switches

SYSTEMS AFFECTED

    Systems using N-Base switches

PROBLEM

    Following text is  based on The  Telecom Security Group  Advisory.
    Note that N Base products  are also OEM'd to DEC,  Allied Telesyn,
    Lantronix, Intel, and Black  Box (and presumably others).  Some of
    these  companies  no  longer  use  N  Base gear, but may have sold
    products in the past that are  affected. The only way to find  out
    if a given  OEM box is  really an affected  N Base unit  is to try
    one of  the exploits.  The <any  username>/forgot is  probably the
    best test.

    Problem 1:
    ==========
    Many (all?)  N Base  managed products  have "back  door" passwords
    which cannot be disabled. These  apply to both the serial  console
    port  and   the  telnet   con-  sole   port  (if   enabled).   The
    username/password combinations are:

        Username      Password
        <any>         forgot
        <any>         debug

    Both of these  combinations grant full  access to the  switch - in
    particular, any of the switch parameters can be changed, including
    the password.   Further, the  "debug" password  allows reading  of
    various internal registers.  Issuing some debug commands can cause
    the switch to lock up, requiring a complete power cycle to  reset.
    Lastly,  with  these  passwords  it  is  possible to overwrite the
    switch operational software, leaving  the switch in an  unbootable
    mode.  Depending on the switch model, a return to the factory  may
    be necessary, though this was not investigated yet.  This  problem
    has been verified on the NH208, NH215, and NH2016 switches and  it
    is believed to be present on all managed N Base switches.

    Problem 2:
    ==========
    N Base switches that implement a default TFTP server can have  the
    server operational software  or (possibly) parameters  overwritten
    by anyone who  knows the IP  address of the  switch and has  an IP
    path to the switch.   N Base switches with  a default TFTP  server
    have  standard  filenames  for  their  operational  software   and
    parameters.   For  example,  a  NH208  uses  a software file named
    FLASH08.HEX and  a parameter  file named  PARAM08.PAR. The  switch
    will accept  a TFTP  load of  any data  as long  as the  file name
    matches.  In  the  case  of  the operating software, the currently
    running software will be erased, the new software flashed, and the
    switch  restarted.   If  the  software  is  not  a valid operating
    software for the switch, the switch will appear dead, usually with
    the FAULT LED illuminated.  An unsuspecting user might return  the
    switch to  N Base  for repair,  but in  any event  this will cause
    substantial inconvenience.   The proper  operational software  can
    be uploaded to the switch  via the serial port, assuming  that the
    user  has  the  loader  utility  and  switch software which may be
    available from

        ftp://ftp.nbase.com

    It may be possible to  make similar attacks against the  parameter
    file, which could  then be used  to compromise VLANs  (by removing
    VLAN partitioning in the switch) or for denial-of-service  attacks
    (by changing ports to incompatible operating modes). This has  not
    been verified.   This problem has  been verified on  the NH208 and
    NH215 switches. It is not present on the NH2016 switch unless  the
    switch has been changed to a TFTP server with the  "set-tftp-mode"
    command. If  your switch  has the  "get-tftp-mode" command  and it
    reports "Tftp client  will be operate  on next software  download"
    then your switch should not be vulnerable to this problem.

    Some switch firmware has been  released with a useless "fix",  but
    other switches  have not  had a  new release,  and no  discernable
    effort has been made to inform N Base custom- ers of this critical
    security flaw.  The "fix" that N Base has implemented is to simply
    change  the  former  debug  password  of  "debug" to the new debug
    password  of  "debug0"  and  the  former  lost  password  recovery
    password of "forgot" to the new recovery password of "forgotten".

SOLUTION

    Currently, supported  switches with  the following  ROM updates do
    have real fixes for password/tftp problems (for MegaSwitch II):

        Model           ROM
        NH2012          2.54
        NH2012R         2.54
        NH2015          2.51
        NH2048          1.33

    With these configurations  you can do  the following to  fix these
    problems:

        set-full-sec enable  (this disables the backdoor passwords)
        set-sw-file  XXX     (where XXX is the name you want  to  call
                              your SNMP software update file)
        set-par-file XXX     (where  XXX is the name you want to  call
                              your parameters file)
        set-passwd <return>  (this will display  a prompt to  enter  a
                              new password)
        set-comm read XXX    (where XXX is the new read community)
        set-comm write XXX   (where XXX is the new write community)

    These   steps   should   secure   the   mentioned   MegaSwitch  II
    configurations.  For GigaFrame Switch:

        NH3012          2.1

        set-full-sec enabled
        set-sw-file XXX
        set-par-file XXX
        set-comm read XXX
        set-comm write XXX
        set-passwd <return>
        del-user user       (By default there are two users   "super",
                             and  "user".    "super"  has   supervisor
                             priveldges, "user" is just a default.  To
                             secure the system, you should delete  the
                             "user" account.)