Steven M. Christey wrote:
> However, if all dip switches are off, the unit can defer to
> configuration as provided via an "Initial Setting Web".
Yeah, I had no idea what this meant either. Same goes for Mitsubishi's
UK tech support...
> be used to set the IP address (page 13). There is no statement that
> the tool restricts which address can be set, nor is there a
> recommendation that only local addresses should be used.
Indeed.
> It doesn't seem like much of a stretch that an admin might want to
> modify the address to something other than private addresses. Whether
> the Initial Setting Web will allow this is another question, but if
> so, then the scope of attack widens considerably.
Yep. I think the manual should really say "this device should be
connected directly to the ethernet socket of a computer, and that
computer should have locked down software to prevent unauthorised people
bypassing the security on the GB-50A".
I find it slightly scary that someone might have one of these on a
network that controls something like data centre aircon, and that an
attacker can scan for it trivially (what answers on port 80 with a 200
to a GET for /en/administrator.html) and turn off all the aircon in the
data centre...
> However, if all dip switches are off, the unit can defer to
> configuration as provided via an "Initial Setting Web".
Yeah, I had no idea what this meant either. Same goes for Mitsubishi's
UK tech support...
> be used to set the IP address (page 13). There is no statement that
> the tool restricts which address can be set, nor is there a
> recommendation that only local addresses should be used.
Indeed.
> It doesn't seem like much of a stretch that an admin might want to
> modify the address to something other than private addresses. Whether
> the Initial Setting Web will allow this is another question, but if
> so, then the scope of attack widens considerably.
Yep. I think the manual should really say "this device should be
connected directly to the ethernet socket of a computer, and that
computer should have locked down software to prevent unauthorised people
bypassing the security on the GB-50A".
I find it slightly scary that someone might have one of these on a
network that controls something like data centre aircon, and that an
attacker can scan for it trivially (what answers on port 80 with a 200
to a GET for /en/administrator.html) and turn off all the aircon in the
data centre...
cheers,
Chris
--
Simplistix - Content Management, Zope & Python Consulting
- http://www.simplistix.co.uk
[ reply ]