Default Device Password
Updated 10/21/02
Impact
A remote attacker could gain access to the device, allowing
him or her to cause a denial of service, change the configuration,
install malicious firmware, or gain unauthorized access to
the internal network.
Background
Routers and other networking devices often contain administrative
interfaces to allow the network administrator to make configuration
changes or diagnose problems remotely. The Telnet, FTP,
and HTTP protocols are commonly used to
provide such interfaces. It is usually necessary to provide
a password in order to access the device.
The Problem
Some devices are shipped with known default passwords.
If these devices are installed in an operational environment
with the default passwords still in place, they provide a
remote attacker with an easy way to gain access to the device.
Once access has been gained, the attacker could create a
denial of service, make unauthorized configuration changes,
install malicious firmware, or route packets to machines
on the internal network which would otherwise be blocked
by the router.
Related CVE entries:
CAN 2002-1229 Avaya Cajun switches
CAN 2002-1440 Gateway GS-400
Resolution
Change the password to something other than the default.
A recommended password would be one which is at least
eight characters long, contains both letters and numbers,
and is not based on any associated information such as
account names, user's names, or DNS names.
8/26/02
NOTE: In some cases, notably the Gateway GS-400 server
vulnerability, changing the password may void the
manufacturer's warranty.
Where can I read more about this?
Walter Belgers' paper,
UNIX password security, is a good reference on strengthening passwords.
Although it focuses on UNIX, the password guidelines presented
in this paper are applicable to all devices.
The default password vulnerability in ZyXEL Prestige routers
was posted to Bugtraq.
Information regarding the Gateway GS-400 server vulnerability is available in
Bugtraq.
The default password vulnerability in Avaya switches was posted to Bugtraq.