COMMAND

    tigris

SYSTEMS AFFECTED

    ACC's Tigris

PROBLEM

    Robert Thomas found following.  OS Versions up to (and  including)
    10.5.8 are vunerable to a 'lame-arsed coding' bug, which lets  you
    display a (slightly censored)  dump of the configuration,  as well
    as letting you run -any- non-priviledeged command (== anything but
    changing the configuration) including  the ability to telnet  from
    the machine, ping other machines (bypassing firewalls,  perhaps?),
    and basically letting people know what you don't really want  them
    to know.

    After a quick fiddle, guess  is that the login sequence  runs like
    following.  Print the string   "Login:"; stick the string  'login'
    into the input buffer, and  wait for user to type  either 'netman'
    or 'public',  resulting in  the command  'login netman'  or 'login
    public'  being  sent  to  the  OS,  which  will  then prompt for a
    password.  This gives you  the ability to do the  really difficult
    thing of pushing backspace  several times, or, hitting  ^U (delete
    to beginning of line) and  running any of the commands  (like, for
    example, 'show'  which will  dump the  running configuration, with
    any  passwords  *'ed  out)  that  can  be accessed by the 'public'
    account.  This includes:

        Dialin Numbers
        RADIUS Authentication/Accounting servers (minus passwords)
        OS Version
        IP Ranges
        BGP/RIP/OSPF filtering information

    Another problem is that the machines have an undocumented 'public'
    account, with a default password of 'public', which gives you the
    same information as you get with the ^U bug.

SOLUTION

    This is fixed in  11.1.23.3.  A quick  workaround is  to  restrict
    telnet access  to only  the hosts  (or networks)  which should  be
    allowed access.  Also, it's a good idea to restrict SNMP and  HTTP
    access to the router.  Issue the following commands:

        ADD ACCESS ENTRY <network> <netmask> 23 TELNET
        ADD ACCESS ENTRY <network> <netmask> 80 HTTP
        ADD ACCESS ENTRY <network> <netmask> 0 PUBLIC

    Regarding source routing, it's only  enabled if you have a  source
    routing entry for the physical port, like:

        ADD SR PORT ENTRY ETHERNET 1 J7.1
        SET SR PORT STATE 1 ENABLED

    You can easily disable source routing for the port by typing

        SET SR PORT STATE <num> DISABLED

    To check if you have source routing configuration in the box:

        SHOW SR