<<< Date Index >>>     <<< Thread Index >>>

Asante FM2008 10/100 Ethernet switch backdoor login




The Asante FM2008 is an 8 port managed Ethernet 10/100 switch.  It may be 
managed, like many others in its device class, by Telnet, by serial port, by 
HTTP, or by SNMP.  Also like most similar devices, the serial port, HTTP, and 
Telnet access methods require one to provide username/password credentials.

The firmware version "v01.06" has three UIs: Web browser, character cell 
terminal (Telnet/serial port) with cursor positioning (hereafter just called 
"terminal"), and CLI.  The access control model of that firmware shares one set 
of user-configurable credentials between the serial port, HTTP, and Telnet 
access methods.  The "normal" terminal interface limits the "username" and 
"password" to eight characters each.  The Web browser access method does not 
appear to have such limitations.  The "alternate," or CLI, interface can be 
accessed via Telnet or the serial port by entering "superuser" for the username 
and "asante" for the password.  This CLI is not documented in the User Manual, 
but one of the CLI commands is "help" which provides help (in English) of the 
available commands and their parameters.  There is no command I can find to 
alter this set of credentials directly (although one of the memory address or 
port alteration commands may be able to do this).  The backdoor cr
 edentials do not seem to be valid for the HTTP access method.

Another separate problem that could be considered a vulnerability is that 
configuration backups (initiated via the Web browser interface and accomplished 
in conjunction with a TFTP server) are not obscured (let alone encrypted) in 
any way.  This is how I discovered this backdoor set of credentials: examining 
a TFTP dump of the switch's configuration.

If one simply edits the strings "superuser" and "asante" in the dump file and 
restores the switch configuration via TFTP, upon switch restart the 
configuration checksum is invalid and the firmware reverts to factory defaults. 
 If someone can figure out  how to generate a proper checksum and insert it 
into this TFTP file (and restore it to the switch), the backdoor might be 
mitigated.

Although only a workaround and in my opinion not a fix, since the Web browser 
interface does not place (known) limitations on the username length, the 
user-configured username can be entered as "superuser" and the password can be 
of one's choosing.  (The terminal interface limits one to entering only 
"superuse" on the configuration screen for this purpose.  The switch does not 
limit the number of characters to 8 when authenticating however.)  The behavior 
of the firmware is such that this would supercede the backdoor credentials, 
thus making the backdoor and the CLI inaccessible.

The SNMP access method of course has its own community string authorization and 
access control mechanisms, which is not covered in this message.

Since Asante has been made aware of this problem since August and has provided 
no update or communication of any kind since September, I felt it has been an 
awfully long time to fix what seems to be a simple firmware problem, and that 
any users of this switch should know about this and implement the "superuser 
password override" workaround outlined above ASAP.