(ASCEND) Max ConsoleStateChange - Security Hole, or Bug?

To: ascend-users@max.bungi.com
Subject: (ASCEND) Max ConsoleStateChange - Security Hole, or Bug?
From: James Fischer <jfischer@supercollider.com>
Date: Sun, 09 Nov 1997 19:33:57 +0000
Sender: owner-ascend-users@max.bungi.com
We have a pair of Maxen that are periodically issuing consoleStateChange 
traps that are highly unusual: 

        a) The traps come in pairs, with the second trap
           one to two seconds behind the first, or within 
           the same second.  Other than the timing, the traps
           are identical to traps that are issued when a tech
           telnets into, changes access level, or drops a telnet
           session with a Max.

        b) I run a pretty tight ship, so sessions invoked by
           authorized employees are logged.  These traps are
           not being caused by authorized personnel.

        c) There appears to be no possible way for a human
           to create two of these traps within a second
           of each other.  We have tried, and simply typing
           passwords and navigating the Max user interface
           takes too long.

        d) Since the Ascend trap gives NO information as to
           the source of the connection to the console, we
           have watched traffic on the ethernet side of the 
           Maxen, to no avail.

        e) When these traps are received, NOC staff quickly
           look at Ascend's consoleInfoConsoleEntry, and have 
           consistently found no one connected to the Max in question.

        f) We have audited the radius logs, and have not found
           any single user who is consistently logged onto the
           Maxen in question when these traps show up.

        g) Passwords for all devices are changed weekly, the
           Maxen among them.

        h) All equipment is locked in unmanned locations and
           protected by alarm systems, so we would tend to
           know if someone was plugging a laptop into a Max.  :)
           
        i) Traps of this nature are a great concern, since they
           imply a security problem - we want to know if anyone
           attempts to "break into" our infrastructure gear.

        j) Ascend 1st-level tech support was not much help on
           this issue.

        Has anyone else seen this sort of activity?  I suspect
        a bug in Ascend's microcode, since we did not notice this
        prior to 5.0Ap13.

        Would others that catch traps and keep logs of traps please
        look for similar events?  I will likely need confirmation 
        from another independent source to be able to present clear
        and compelling evidence to Ascend.
           
Examples since 9/30/97 are shown below, in pairs.  The last example 
shown is highly unusual, since it is from a newly-installed Max, and 
NO ONE was logged into or sending any traffic via ethernet to that 
Max when the trap was issued, indicating that we do have a bug here, 
rather than a security issue.

        The traps listed below are from a Max 4004, running 
        5.0Ap13 (SNMP community strings blanked to protect
        the innocent):

9/30/97  22:07:29 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
9/30/97  22:07:30 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  11:57:42 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  11:57:43 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  13:53:31 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  13:53:32 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  14:12:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  14:12:55 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  14:16:46 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  14:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  21:44:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  21:44:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/3/97  21:49:06 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/3/97  21:49:07 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/8/97  18:36:38 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/8/97  18:36:39 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/9/97  12:20:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97  12:20:11 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/9/97  12:23:20 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/9/97  12:23:21 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/19/97 00:40:21 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/19/97 00:40:22 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/22/97 09:03:19 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 09:03:20 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/22/97 16:02:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:02:48 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/22/97 16:10:07 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:10:08 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/22/97 16:37:29 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/22/97 16:37:31 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/22/97 17:36:11 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.3=3
10/22/97 17:36:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.3=3

10/24/97 21:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/24/97 21:16:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/26/97 21:40:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/26/97 21:40:54 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/27/97 19:01:43 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/27/97 19:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 13:39:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:39:52 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 13:45:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:45:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 13:47:58 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 13:47:59 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 14:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:01:44 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 14:02:40 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:02:41 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 14:04:01 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 14:04:02 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 15:21:00 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 15:21:01 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 16:49:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 16:49:12 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 17:12:26 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:12:26 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 17:24:03 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:24:04 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

10/29/97 17:48:09 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
10/29/97 17:48:09 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

11/1/97  12:15:45 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/1/97  12:15:46 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

11/2/97  14:31:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/2/97  14:31:47 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

11/3/97  20:40:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/3/97  20:40:10 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

11/9/97  15:37:36 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2
11/9/97  15:37:36 Ascend consoleStateChange, ent=max4000, comm=##,
consoleIndex.2=2

        Here is the trap from a Max when no one was dialed in.
        Logs from a snoop session show no traffic, other than
        the SNMP trap itself.
        This is from a Max 4048 running 5.0Ap33

11/9/97  17:59:41 Rocky-Ascend consoleStateChange, ent=ascend, comm=##,
consoleIndex.2=2
11/9/97  17:59:43 Rocky-Ascend consoleStateChange, ent=ascend, comm=##,
consoleIndex.2=2


   It is easier to live up to one's reputation than to live one down

james fischer                                jfischer@supercollider.com

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>
Prev by Date: (ASCEND) Pipeline 50 Config Question
Next by Date: (ASCEND) Routing Phone calls?
Prev by thread: (ASCEND) Routing Phone calls?
Next by thread: (ASCEND) Pipeline 50 Config Question
Index(es):
- Main
- Thread