|
Vulnerability Intel NetStructure Affected Intel NetStructure 7180 (previously the Ipivot Commerce Accelerator 8000 Description Following ia based on L0pht Research Labs Advisory. The NetStructure 7180 can be compromised via the admin console even after the admin password has been changed. Root access can be obtained via the Internet when used in a poorly configured or default configuration. Additionally, web based management authentication is done in the clear. The NetStructure 7180 has two undocumented accounts, servnow and root, each with a password generated from the MAC address of the primary interface. By default, the NetStructure 7180 has an SNMP daemon running with a default community string of 'public'. Through this service one can determine the local MAC address without being on the local network segment. These accounts are afforded administrative access to the system, session keys, private certificates, a network sniffer, and other utilities. Through the use of the proof of concept code referenced below, one can log in and change the passwords to these accounts thereby eliminating the backdoors. The NetStructure 7180 was originally a product of Ipivot, and named the Ipivot Commerce Director 8000. The oversight affects NetStructure 7180 as shipped in April 2000. -The administrator password is overridden by an undocumented servnow and root password. -The root and servnow password are derived from the primary ethernet MAC address of the NetStructure 7180. -By SNMPwalk'ing the NetStructure 7180, one can obtain the MAC address. -The method to change the root or servnow password is undocumented. This leaves all NetStructure 7180's with an undocumented backdoor which can be accessed through the console port, gaining the unauthorized user root privileges on the box. In the case of a poorly configured unit, or a unit left in the default management configuration, one can access the system over the Internet. A few data points make this problem particularly disturbing: - The NetStructure 7180 is the device converting https (encrypted) to http (unencrypted) and to http (unencrypted). - The web based management is done in the clear (which is confusing to find in a device designed to handle encrypted communications.) - Network sniffing utilities are installed on the Ipivot by default. - configuration over telnet is preferred in the user documentation. - The secret material that the password is derived from is the ethernet address of the public interface. - A SNMP daemon is part of the default configuration with a community string of 'public'. - The administration client can be easily obtained and reconstituted into completely readable and recompileable code using publicly available tools and methods. L0pht will make the proof of concept tools available 5-15-2000 to independently verify and address the problem. PalmOS prc and unix source available at: http://www.l0pht.com/advisories/ipivot.tar.gz Solution Recommended fix: 1. Change the admin password after the first login. 2. Login to the Ipivot as root, after obtaining the password from the Ipivot password generator. 3. After logging in, change the root passowrd by issuing a 'passwd' at the command prompt. Choose a strong password and do not forget it, as Intel Service personnel no longer have a way to remotely service the box. 4. Next issue a 'passwd servnow' at the command prompt to change the servnow account. Again, choose a strong password and do not forget it. 5. Try to refrain from configuring the system outside of the cli and web based management interfaces. Doing so may break things and completely void your warranty, above and beyond what you may have already performed by closing these backdoors. Involved solution; aside from changing the passwords you may want to shut down certain functionality of the ipivot if not being used. In the documentation we were supplied these steps were not highlighted: - turn off CLI telnet access. enter: config sys security custom telnet disable - turn off SNMP if you do not need the statistics. enter: config sys security custom snmp disable - If you would like SNMP, lock down SNMP reads and traps to the specific IP's of logging hosts or administration machines. enter: config sys snmp community create mib_name ip xxx.xxx .xxx.xxx rights ro enter: config sys snmp trap create xxx.xxx.xxx.xxx community community_string - turn off GUI access unless absolutely needed. enter: config sys security custom gui disable - If you decide to use the gui, change the management to something other than the default of port 1095. enter: config admin port xxxx - turn on Access Control Lists (ACL) and restrict management functionality to either your IP. enter: config sys security custom access-control enabled enter: config sys security custom acl add ip xxx.xxx.xxx.xxx or for a subnet entirely under your control. enter: config sys security custom acl add netmask xxx.xxx.xxx .xxx/x As a result of this advisory Intel has: 1. Setup a security-info mail account which one can notify Intel of security issues on their product, where one previously did not exist. 2. Provided patches for all customers at the following URL: http://216.188.41.136 or through an 800 number for customers with maintenance agreements.