Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:7345
HistoryDec 16, 2004 - 12:00 a.m.

Asante FM2008 10/100 Ethernet switch backdoor login

2004-12-1600:00:00
vulners.com
26
JSON

The Asante FM2008 is an 8 port managed Ethernet 10/100 switch. It may be managed, like many others in its
device class, by Telnet, by serial port, by HTTP, or by SNMP. Also like most similar devices, the serial
port, HTTP, and Telnet access methods require one to provide username/password credentials.

The firmware version "v01.06" has three UIs: Web browser, character cell terminal (Telnet/serial port) with
cursor positioning (hereafter just called "terminal"), and CLI. The access control model of that firmware
shares one set of user-configurable credentials between the serial port, HTTP, and Telnet access methods. The
"normal" terminal interface limits the "username" and "password" to eight characters each. The Web browser
access method does not appear to have such limitations. The "alternate," or CLI, interface can be accessed
via Telnet or the serial port by entering "superuser" for the username and "asante" for the password. This
CLI is not documented in the User Manual, but one of the CLI commands is "help" which provides help (in
English) of the available commands and their parameters. There is no command I can find to alter this set of
credentials directly (although one of the memory address or port alteration commands may be able to do this).
The backdoor cr
edentials do not seem to be valid for the HTTP access method.

Another separate problem that could be considered a vulnerability is that configuration backups (initiated
via the Web browser interface and accomplished in conjunction with a TFTP server) are not obscured (let alone
encrypted) in any way. This is how I discovered this backdoor set of credentials: examining a TFTP dump of
the switch's configuration.

If one simply edits the strings "superuser" and "asante" in the dump file and restores the switch
configuration via TFTP, upon switch restart the configuration checksum is invalid and the firmware reverts to
factory defaults. If someone can figure out how to generate a proper checksum and insert it into this TFTP
file (and restore it to the switch), the backdoor might be mitigated.

Although only a workaround and in my opinion not a fix, since the Web browser interface does not place
(known) limitations on the username length, the user-configured username can be entered as "superuser" and the
password can be of one's choosing. (The terminal interface limits one to entering only "superuse" on the
configuration screen for this purpose. The switch does not limit the number of characters to 8 when
authenticating however.) The behavior of the firmware is such that this would supercede the backdoor
credentials, thus making the backdoor and the CLI inaccessible.

The SNMP access method of course has its own community string authorization and access control mechanisms,
which is not covered in this message.

Since Asante has been made aware of this problem since August and has provided no update or communication of
any kind since September, I felt it has been an awfully long time to fix what seems to be a simple firmware
problem, and that any users of this switch should know about this and implement the "superuser password
override" workaround outlined above ASAP.

JSON