X-Sender: pmr@flowpnt
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.990414175052.28697B-100000@flowpnt>
Date: 	Wed, 14 Apr 1999 18:07:59 -0700
Reply-To: Philip Rakity <pmr@flowpoint.com>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Philip Rakity <pmr@flowpoint.com>
Subject:      FlowPoint ADSL Reported Problem
X-To:         dbrumley@goju.stanford.edu
X-cc:         Dano Ybarra <dano@flowpoint.com>,
              Stewart Hulett <stu@flowpoint.com>
To: BUGTRAQ@netspace.org
In-Reply-To:  <01BE869B.D4D2F300.roger@flowpoint.com>

Recently there was a note in the bug list (below) indicating that
FlowPoint Routers do not set an administration password.  This statement
is false, but the vulnerability of the router to folks not changing the
default router password is well known.

Our GUI asks the user to change the password.

Release 3.0.2 onwards requires the user to enter the password
to access any information via the console or telnet.

Access control to the router via telnet and snmp can be controlled via
access lists using the command

system addtelnetfilter <IP Addresses>
system addsnmpfilter <IP Addresses>

The SNMP Community name can be changed as well as the ports used to access
Telnet and SNMP.  In addition, access to the router via SNMP and Telnet
can be turned off.  The commands

system telnetport <Port No>
system snmpport <Port No>

A <Port No> of 0 stops access to the router.

In addition, an IP Filtering package similar to the Linux Firewall
capability is available as an option.


kind regards,

Philip Rakity

Vice President Product Development
FlowPoint Corporation
180 Knowles Drive
Suite 100
Los Gatos, CA 95030
USA

e-mail:    pmr@flowpoint.com
 phone:    +1 (408) 364-8300
   fax:    +1 (408) 364-8301

>
> -----Original Message-----
> From:	David Brumley [SMTP:dbrumley@GOJU.STANFORD.EDU]
> Sent:	Tuesday, April 13, 1999 11:02 PM
> Subject:	aDSL routers
>
> Welp, aDSL is here.  And at least one manufacturer, flowpoint, sets no
> admin password.  It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
>
> Version tested:
> FlowPoint/2000 ADSL Router
> FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
>
> Cheers,
> -db
>