3Com SuperStack II detected as router... or not.

Greetings!

Scanning our network with a router detection software, we detected that requests routed via the management IP address of the hub seemed to be routed onward. If the embedded management really did routing, this could be abused to circumvent network separation schemes (e.g. separate management and user networks).

The system in question is

	3Com SuperStack-II Dual Speed Hub 500
		Hardware	01.01.01
		Software	1.11
		Boot PROM	0.04

"Newer" releases (2.10 and up, which are some years old by themselves) do not show this behaviour. Firmware updates are (as always) available for free from 3Com.

Further testing showed that the old hub firmware does NOT route at all. It just (falsely) answers all ICMP echo-request packets sent to its hardware (MAC) address regardless the destination IP address.

As most router-detection schemes simply use Ping (ICMP) to test for routing function you'll get a False Positive from hubs equipped with the old firmware. So re-checking those alerts with a manual test with a real TCP connections (e.g. manual HTTP request) is (as always) highly recommended.

Solutions:

• install current firmware to the hub(s)
• double-check router-detection alerts

So no, 3Com SuperStack II hubs with old/ancient firmware do not do routing, even if your router detector told you otherwise...

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Bye

Volker Tanger

PS: Adventurous hackers could try to abuse this and fake a system

    "alive" to an ICMP-only NMS station. But as you need an on-line     ARP-spoofing station for such a treat anyway, this is more an     academic possibility.

-- 

ITK-Security
discon gmbh
DeTeWe AG & Co. KG

Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/