COMMAND
Intel NetStructure
SYSTEMS AFFECTED
Intel NetStructure 7180 (previously the Ipivot Commerce Accelerator 8000
PROBLEM
Following ia based on L0pht Research Labs Advisory. The
NetStructure 7180 can be compromised via the admin console even
after the admin password has been changed. Root access can be
obtained via the Internet when used in a poorly configured or
default configuration. Additionally, web based management
authentication is done in the clear.
The NetStructure 7180 has two undocumented accounts, servnow and
root, each with a password generated from the MAC address of the
primary interface. By default, the NetStructure 7180 has an SNMP
daemon running with a default community string of 'public'.
Through this service one can determine the local MAC address
without being on the local network segment. These accounts are
afforded administrative access to the system, session keys,
private certificates, a network sniffer, and other utilities.
Through the use of the proof of concept code referenced below,
one can log in and change the passwords to these accounts thereby
eliminating the backdoors.
The NetStructure 7180 was originally a product of Ipivot, and
named the Ipivot Commerce Director 8000. The oversight affects
NetStructure 7180 as shipped in April 2000.
-The administrator password is overridden by an undocumented
servnow and root password.
-The root and servnow password are derived from the primary
ethernet MAC address of the NetStructure 7180.
-By SNMPwalk'ing the NetStructure 7180, one can obtain the MAC
address.
-The method to change the root or servnow password is
undocumented.
This leaves all NetStructure 7180's with an undocumented backdoor
which can be accessed through the console port, gaining the
unauthorized user root privileges on the box. In the case of a
poorly configured unit, or a unit left in the default management
configuration, one can access the system over the Internet. A
few data points make this problem particularly disturbing:
- The NetStructure 7180 is the device converting https
(encrypted) to http (unencrypted) and to http (unencrypted).
- The web based management is done in the clear (which is
confusing to find in a device designed to handle encrypted
communications.)
- Network sniffing utilities are installed on the Ipivot by
default.
- configuration over telnet is preferred in the user
documentation.
- The secret material that the password is derived from is the
ethernet address of the public interface.
- A SNMP daemon is part of the default configuration with a
community string of 'public'.
- The administration client can be easily obtained and
reconstituted into completely readable and recompileable
code using publicly available tools and methods.
L0pht will make the proof of concept tools available 5-15-2000 to
independently verify and address the problem. PalmOS prc and
unix source available at:
http://www.l0pht.com/advisories/ipivot.tar.gz
SOLUTION
Recommended fix:
1. Change the admin password after the first login.
2. Login to the Ipivot as root, after obtaining the password
from the Ipivot password generator.
3. After logging in, change the root passowrd by issuing a
'passwd' at the command prompt. Choose a strong password
and do not forget it, as Intel Service personnel no longer
have a way to remotely service the box.
4. Next issue a 'passwd servnow' at the command prompt to
change the servnow account. Again, choose a strong
password and do not forget it.
5. Try to refrain from configuring the system outside of the
cli and web based management interfaces. Doing so may
break things and completely void your warranty, above and
beyond what you may have already performed by closing these
backdoors.
Involved solution; aside from changing the passwords you may want
to shut down certain functionality of the ipivot if not being
used. In the documentation we were supplied these steps were not
highlighted:
- turn off CLI telnet access.
enter: config sys security custom telnet disable
- turn off SNMP if you do not need the statistics.
enter: config sys security custom snmp disable
- If you would like SNMP, lock down SNMP reads and traps to
the specific IP's of logging hosts or administration
machines.
enter: config sys snmp community create mib_name ip xxx.xxx .xxx.xxx rights ro
enter: config sys snmp trap create xxx.xxx.xxx.xxx community community_string
- turn off GUI access unless absolutely needed.
enter: config sys security custom gui disable
- If you decide to use the gui, change the management to
something other than the default of port 1095.
enter: config admin port xxxx
- turn on Access Control Lists (ACL) and restrict management
functionality to either your IP.
enter: config sys security custom access-control enabled
enter: config sys security custom acl add ip xxx.xxx.xxx.xxx or for a subnet entirely under your control.
enter: config sys security custom acl add netmask xxx.xxx.xxx .xxx/x
As a result of this advisory Intel has:
1. Setup a security-info mail account which one can notify
Intel of security issues on their product, where one
previously did not exist.
2. Provided patches for all customers at the following URL:
http://216.188.41.136
or through an 800 number for customers with maintenance
agreements.