Vulnerability

    Lightwave Console 3200 telnetd

Affected

    Lightwave Console 3200 telnetd

Description

    John  McInnes  found  following.   He's  been  testing a Lightwave
    ConsoleServer 3200 recently, and have come across some potentially
    dangerous security weaknesses with the firmware.

    To log in  to the unit,  you telnet to  the console server  on TCP
    port  23  for  regular  user  access,  or  5000  for  the   System
    Administrator.   When  you  initiate  a  telnet  session,  you are
    automatically dropped  to a  CLI, where  you can  type 'login'  to
    start an authenticated session.

    The  problems  that  John  has  discovered  are that the system is
    vulnerable  to  brute  force  style  password  attacks, and that a
    malicous user can glean a certain amount of information about  the
    unit and its enviroment without authentication of any kind.

    To be specific, when  telneting to the unit  on port 23 to  log in
    as a regular user, the connection is immediately accepted and  you
    are dropped to a "pre-login  prompt", where you must type  'login'
    to log in to the unit.

    After  an  unsuccessfull  login,  you  are  again  returned to the
    "pre-login  prompt"  where  you  can  again type 'login' and start
    over.

    There are no  delays associated with  a failed login  attempt, nor
    is the TCP connection even dropped to at least make brute  forcing
    the unit  a hassle  for a  malicious user.   A brute  force attack
    could  be  expediated  by  already  having  a list of usernames as
    described in next paragraph.

    John  has  discovered  with  the  ConsoleServer 3200 that when you
    telnet to the  unit's System Administrator  interface on TCP  port
    5000, you  can use  the inbuilt  CLI to  glean information  in the
    "pre-login mode":
    - What expansion cards are in the unit.
    - Who  is currently  logged into  the unit  (allowing a  malicious
      user to gather a list of users on the system).
    - What console's (serial ports)  have been configured (all of  the
      serial ports that have been configured have a name, commonly the
      hostname of the machine).
    - The status of the power supplies.
    - Ethernet interface configuration (MAC addr, gateway, netmask).

    When  you  make  three  incorrect  login  attempts  on  the System
    Administrator port, the TCP connection is closed, but it seems not
    logged anywhere as described above.

    This sort of  information leakage is  of great concern  to us, and
    the common belief that an unauthenticated user should not be  able
    to get any information at all out of a host.

    If a malicous user was able to brute force a login, then he or she
    could easily wreak havoc to any hosts or devices connected to  the
    unit, the scope of  which will be left  to the imagination of  the
    reader.

Solution

    Keep it away from any internet routable network.