Vulnerability

    IBM 8237

Affected

    Systems running IBM 8237 HUB (others?)

Description

    'pmsac' stepped into a "feature" of an IBM 8237 hub: the  firmware
    contains a "factory default"  username and password in  cleartext.
    The respective user has administrative rights on the hub.  As this
    factory username doesn't show on the hub users section it would be
    nice of them to put it in the documentation.  Needless to say, you
    can't change it without manually editing the firmware file  before
    downloading it to the hub.

    This  feature  is  confirmed  on  a  8237 hub, model 003, firmware
    version 1.27 (other firmware versions are suspected are  suspected
    to have it, too). Models  001 seem unaffected (looking at  version
    1.08 of the firmware). Also,  this model, if affected, would  only
    be vulnerable if  a possible intruder  had physical access  to the
    hub.   DoS  and  disclosure  of  SNMP  communities are some of the
    obvious consequences of this feature.   Other kinds of hub  (8225,
    others) could be vulnerable.

    He also managed to overcome the checksum problem and have  written
    a  dirty  little  program  that  will,  based  on  a  chunk of the
    firmware, ask for a new login and password and then show how  that
    chunk must be rewritten (you still have to do this by hand).   The
    program source is available on demand (pmsac@TOXYN.ORG). The login
    is reduced to 9  characters instead of the  usual 14, and some  of
    the missing bytes are used to make an checksum correct image.

Solution

    Nothing yet.