`1. Problem Description
An undocumented account with a default password exists, additionally guest
users can DoS the switch.
2. Tested systems
The following versions were tested and found vulnerable:
Vertical Horizon VH-2402S with firmware 02.05.00
Vertical Horizon VH-2402S with firmware 02.05.09.07
All publically software versions before 2.05.09.08 are assumed to be
vulnerable. Additionally firmware for other Vertical Horizon switches has
been released on similar dates and according to the release notes the
vulnerability might be also present there.
3. Details
The undocumented account is user tiger with password tiger123
Additionally there are some debug commands available to all users after
pressing ctrl-f, ctrl-b, ctrl-g or ctrl-l when logged in via the serial
console or telnet. The write commands available after pressing ctrl-g
can be harmful to the switch - allowing any valid user including
guest user to remotely disable the switch.
4. Recommendations
As always it is good administrative practice to block access to
administrative interfaces (telnet, web, snmp) at the firewall. Upgrading
to firmware version 02.05.09.08 solves both problems: the undocumented
account is removed and the debug commands are only avaliable to users
with administrative privlidges.
5. Vendor status
Enterasys was informed on Mar 8 2005. The vendor responded on Mar 10 2005.
The fixed software is available from the Enterasys
support site http://www.enterasys.com/download/download.cgi?lib=vh
since June 16 2005. Unfortunately the vendor doesn't want to follow the
route of responsible full disclosure by not giving the researcher
proper credit.
6. Disclaimer
Neither I nor my employer is responsible for the use or misuse of
information in this advisory. The opinions expressed are my own and not
of any company. Any use of the information is at the user's own risk.
Jacek Lipkowski
sq5bpf at andra com pl
Andra Co. Ltd.
ul Pryzmaty 6/8
02-226 Warsaw, Poland
http://www.andra.com.pl
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation