[VulnWatch] FVS318 Config stores usernames/passwd's in plain text

From: FVS (fab@aisec.net)
Date: 09/27/02


From: FVS <fab@aisec.net>
To: vulnwatch@vulnwatch.org
Date: Fri, 27 Sep 2002 12:40:38 -0400


Hi All..

Attached is an Advisory concerning Netgear's FVS318 Firewall/VPN/Router, and
the fact that it stores Usernames and Passwords in plain text if the config
is backed up.

Thanks,

fab@aisec.net
http://www.aisec.net
Information Security Team.
 -=-=-=-=-=-=-=-=-=-=-=-=-=-


AIS advisory # 0006 NETGEAR FVS318 Firewall Router Firmware 1.1
Username/Password Disclosure

==============Summary================

Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords
in plain text when a backup of the configuration is made.

==========Software Affected==========

Netgear FVS318 firmware 1.1 and every firmware version before it.

===============Vendor================

http://www.netgear.com

=========Product Description=========
Taken from their site : http://www.netgear.com

"Want the utmost in network security for your office? NETGEAR's FVS318
ProSafe VPN Firewall provides business-class protection at a NAT router
price. This completely equipped, broadband-capable Virtual Private
Network (VPN) firewall is a true firewall and provides it all –
Denial of Service (DoS) protection and Intrusion Detection using Stateful
Packet Inspection (SPI), URL access and content filtering, logging,
\reporting, and real-time alerts. It initiates up to 8 IPSec VPN tunnels
simultaneously, reducing your operating costs and maximizing the security
of your network. With 8 auto-sensing, Auto Uplink™ switched LAN ports
and Network Address Translation (NAT) routing, up to 253 users can access
your broadband connection at the same time."

============Vulnerability============

The web interface includes a backup option to store your current config
just in case anything happens....

For the most part, the file isn't readable except for a few words, in
particular, your Username to your ISP internet connection, and the password
to the web admin interface which listens on port 80 by default. This port
can be changed to whatever you like, but probably not many people do that.

I would consider this a local threat because you can only get to the web interface
from inside the local LAN. Unless you enable Remote Management, which listens on port
8080 by default.

The default username for the web interface can't be changed, it's always "admin"...

Any good admin makes a backup of their working configs ;)

================FIX (if any) ========
Use PGP to encrypt your files, if Netgear doesn't encrypt them for you.

============Discovered by============
fab@aisec.net
http://www.aisec.net
Information Security Team.



Relevant Pages

  • NETGEAR FVS318 Information Disclosure
    ... Passwords in plain text if the config is backed up. ... Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords in ... ProSafe VPN Firewall provides business-class protection at a NAT ...
    (Bugtraq)
  • RE: ssh security question
    ... They were doing a simple dictionary attack using common usernames and it ... Your best bet is to ensure your passwords are not easy to crack, ... Information Security Specialist | CIBC Enterprise Information ... firewall - so I could access the centos server remotely. ...
    (SSH)
  • RE: cannot access xp share
    ... Did you also try turning off the firewall and av software on the XP computer? ... Did any passwords or usernames get changed? ... same username still being used to log into the Vista computer? ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: EPP Cost vs. Coupon Cost?
    ... Jay is right, don't get the, McAfee Security Center with ... VirusScan, Firewall, Spyware Removal, 15-months. ... i routinely buy the 1.83 for around $800 in your config. ... Network Card and Modem Integrated 10/100 Network Card and Modem ...
    (alt.sys.pc-clone.dell)
  • RE: Configure Firewall fails
    ... 39856232-Configure Firewall fails. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... <configuration, it completes all steps (Network Config, Secure Web Site ...
    (microsoft.public.windows.server.sbs)