COMMAND

    Xyplex

SYSTEMS AFFECTED

    Those running Xyplex terminal server

PROBLEM

    Aleksandr  Pilosov  has  found  Xyplex  terminal  server  bug.  If
    terminal server configured for RADIUS authentication, PPP/CHAP and
    AutoProtocolDetect, typing  Ctrl-Z in  username> prompt  will drop
    you  directly  to  command  line,  as  if you logged in correctly.
    This will not work to get past 'enable' password, though.

    There is no information if Xyplex fixed that bug yet, but at least
    the following version  of software is  affected:  TS/720  V6.0.1S1
    Rom 4C0000 HW 00.02.01 Lat Protocol V5.2

    Hardware Type:       76
    Hardware Revision:   00.02.01
    Midplane Type:       SwitchPlane
    Rom Revision:        4C0000
    Software Type:       Terminal Server Level 4
    Software Revision:   V6.0.1S1
    Protocol Type:       LAT, TELNET, RLOGIN, TN3270, SNMP, PPP

    Matthew G. Harrigan added following.   The ctl-z concept can  also
    be applied  by simply  entering a  "?" at  the 'Username:' prompt.
    Two things happen:

    1. The logged in user information is set to "???", which leads  to
       believe  that   with  some   creativity  and/or   source  code,
       unauthorized (resource challenged) users  may be able to  force
       an administrative shell.

    2. You are dropped  into the command shell  in which you are  able
       to utilize all the client programs (i.e. rsh, telnet, etc..).

SOLUTION

    New info expected.   If you have this  terminal server - test  it.
    If  you  find  yourself  vulnerable  to these attack, contact your
    vendor for more information how to protect yourself.

    Not tested  to see  if this  fix problem,  but perhaps  if you try
    "REQUIRED"ing whatever option you  have turned on instead  of just
    "ENABLED"ing it, this may fix your problem.  If radius is  enabled
    and a person enters an invalid login/password sequence and  radius
    fails authentication then  it works properly,  but if radius  just
    fails with another type of error and since radius is only enabled,
    not required, you get default access (whatever that may be?).