Type packetstorm
Reporter Jacek Lipkowski
Modified 2005-06-21T00:00:00


                                            `1. Problem Description  
An undocumented account with a default password exists, additionally guest   
users can DoS the switch.  
2. Tested systems  
The following versions were tested and found vulnerable:  
Vertical Horizon VH-2402S with firmware 02.05.00  
Vertical Horizon VH-2402S with firmware  
All publically software versions before are assumed to be   
vulnerable. Additionally firmware for other Vertical Horizon switches has   
been released on similar dates and according to the release notes the   
vulnerability might be also present there.  
3. Details  
The undocumented account is user tiger with password tiger123  
Additionally there are some debug commands available to all users after   
pressing ctrl-f, ctrl-b, ctrl-g or ctrl-l when logged in via the serial   
console or telnet. The write commands available after pressing ctrl-g   
can be harmful to the switch - allowing any valid user including   
guest user to remotely disable the switch.  
4. Recommendations  
As always it is good administrative practice to block access to   
administrative interfaces (telnet, web, snmp) at the firewall. Upgrading   
to firmware version solves both problems: the undocumented  
account is removed and the debug commands are only avaliable to users  
with administrative privlidges.  
5. Vendor status  
Enterasys was informed on Mar 8 2005. The vendor responded on Mar 10 2005.   
The fixed software is available from the Enterasys   
support site http://www.enterasys.com/download/download.cgi?lib=vh  
since June 16 2005. Unfortunately the vendor doesn't want to follow the  
route of responsible full disclosure by not giving the researcher   
proper credit.  
6. Disclaimer  
Neither I nor my employer is responsible for the use or misuse of  
information in this advisory. The opinions expressed are my own and not  
of any company. Any use of the information is at the user's own risk.  
Jacek Lipkowski  
sq5bpf at andra com pl  
Andra Co. Ltd.  
ul Pryzmaty 6/8  
02-226 Warsaw, Poland