Netopia allows system logs to be viewed without login

netopia-view-system-log (5536) The risk level is classified as MediumMedium Risk

Description:

Netopia 650-ST ISDN router running firmware could allow a remote attacker without any login credentials to view system files containing sensitive information. At the Telnet login screen, a remote attacker can type Ctrl+F to view the WAN event log or Ctrl+E to view the device event log. An attacker can use this vulnerability to obtain sensitive information, such as usernames and passwords.


Consequences:

Obtain Information

Remedy:

No remedy available as of September 1, 2014.

References:

  • BugTraq Mailing List, Wed Nov 15 2000 - 16:16:07 CST: Netopia ISDN Router 650-ST: Viewing of all system logs without login.
  • BID-1952: Netopia 650-T ISDN Router Username/Password Disclosure Vulnerability
  • CVE-1999-0571: A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.
  • CVE-2000-1179: Netopia ISDN Router 650-ST before 4.3.5 allows remote attackers to read system logs without authentication by directly connecting to the login screen and typing certain control characters.
  • OSVDB ID: 1647: Netopia 650-T ISDN Router Credentials Disclosure

Platforms Affected:

  • Netopia Netopia 650-ST ISDN Router 3.3.2

Reported:

Nov 16, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page