COMMAND

    Intel NetStructure

SYSTEMS AFFECTED

    Intel NetStructure 7180 (previously the Ipivot Commerce Accelerator 8000

PROBLEM

    Following  ia  based  on   L0pht  Research  Labs  Advisory.    The
    NetStructure 7180 can  be compromised via  the admin console  even
    after the  admin password  has been  changed.   Root access can be
    obtained via  the Internet  when used  in a  poorly configured  or
    default  configuration.    Additionally,   web  based   management
    authentication is done in the clear.

    The NetStructure 7180 has  two undocumented accounts, servnow  and
    root, each with a password  generated from the MAC address  of the
    primary interface.  By default, the NetStructure 7180 has an  SNMP
    daemon  running  with  a  default  community  string  of 'public'.
    Through  this  service  one  can  determine  the local MAC address
    without being on  the local network  segment.  These  accounts are
    afforded  administrative  access  to  the  system,  session  keys,
    private  certificates,  a  network  sniffer,  and other utilities.
    Through the  use of  the proof  of concept  code referenced below,
    one can log in and change the passwords to these accounts  thereby
    eliminating the backdoors.

    The  NetStructure  7180  was  originally  a product of Ipivot, and
    named the Ipivot  Commerce Director 8000.   The oversight  affects
    NetStructure 7180 as shipped in April 2000.

        -The administrator password  is overridden by  an undocumented
         servnow and root password.
        -The root and  servnow password are  derived from the  primary
         ethernet MAC address of the NetStructure 7180.
        -By SNMPwalk'ing the NetStructure 7180, one can obtain the MAC
         address.
        -The  method  to  change  the  root  or  servnow  password  is
         undocumented.

    This leaves all NetStructure 7180's with an undocumented  backdoor
    which  can  be  accessed  through  the  console  port, gaining the
    unauthorized user root privileges  on the box.   In the case of  a
    poorly configured unit, or a  unit left in the default  management
    configuration, one  can access  the system  over the  Internet.  A
    few data points make this problem particularly disturbing:

        - The  NetStructure  7180  is  the  device  converting   https
          (encrypted) to http (unencrypted) and to http (unencrypted).
        - The  web based  management is  done in  the clear  (which is
          confusing to find in  a device designed to  handle encrypted
          communications.)
        - Network sniffing  utilities are installed  on the Ipivot  by
          default.
        - configuration  over  telnet   is  preferred  in  the    user
          documentation.
        - The secret material that the password is derived from is the
          ethernet address of the public interface.
        - A SNMP  daemon is part  of the default  configuration with a
          community string of 'public'.
        - The  administration  client  can  be  easily  obtained   and
          reconstituted  into  completely  readable  and recompileable
          code using publicly available tools and methods.

    L0pht will make the proof of concept tools available 5-15-2000  to
    independently  verify  and  address  the  problem.  PalmOS prc and
    unix source available at:

        http://www.l0pht.com/advisories/ipivot.tar.gz

SOLUTION

    Recommended fix:

        1. Change the admin password after the first login.
        2. Login to the Ipivot  as root, after obtaining the  password
           from the Ipivot password generator.
        3. After  logging in,  change the  root passowrd  by issuing a
           'passwd' at the command  prompt.  Choose a  strong password
           and do not forget it, as Intel Service personnel no  longer
           have a way to remotely service the box.
        4. Next  issue a  'passwd servnow'  at the  command prompt  to
           change  the  servnow  account.   Again,  choose  a   strong
           password and do not forget it.
        5. Try to refrain from  configuring the system outside of  the
           cli  and  web  based  management  interfaces.  Doing so may
           break things and completely  void your warranty, above  and
           beyond what you may have already performed by closing these
           backdoors.

    Involved solution; aside from changing the passwords you may  want
    to shut  down certain  functionality of  the ipivot  if not  being
    used.  In the documentation we were supplied these steps were  not
    highlighted:

        - turn off CLI telnet access.
            enter: config sys security custom telnet disable
        - turn off SNMP if you do not need the statistics.
            enter: config sys security custom snmp disable
        - If you would  like SNMP, lock down  SNMP reads and traps  to
          the  specific  IP's  of  logging  hosts  or   administration
          machines.
            enter: config sys snmp community create mib_name ip xxx.xxx .xxx.xxx rights ro
            enter: config sys snmp trap create xxx.xxx.xxx.xxx community community_string
        - turn off GUI access unless absolutely needed.
            enter: config sys security custom gui disable
        - If  you  decide  to  use  the gui, change the management  to
          something other than the default of port 1095.
            enter:  config admin port xxxx
        - turn on Access  Control Lists (ACL) and  restrict management
          functionality to either your IP.
            enter: config sys security custom access-control enabled
            enter:  config sys security custom acl add ip xxx.xxx.xxx.xxx or for a subnet entirely under your control.
            enter: config sys security custom acl add netmask xxx.xxx.xxx .xxx/x

    As a result of this advisory Intel has:

        1. Setup  a security-info  mail account  which one  can notify
           Intel  of  security  issues  on  their  product,  where one
           previously did not exist.
        2. Provided patches for all customers at the following URL:
               http://216.188.41.136
           or through  an 800  number for  customers with  maintenance
           agreements.