Computing networking giant 3Com notified users of its switching devices that passwords used by the company's support operations have leaked onto public discussion groups, necessitating an overhaul in login administration for certain products by the company's installed base.
Possible intrusions via the passwords could effect the operations of 3Com's CoreBuilder and SuperStack II switching models.
If an unauthorized user gained access to a network switch, they could reconfigure the device or view different types of traffic running through it, potentially wreaking havoc on the performance and security of a network. Use of the passwords essentially allows a user to gain "back door" entry into a switching system.
3Com said it would post an updated version of software for certain models by May 20 and also encouraged customers to change their internal passwords for the equipment. The company posted an advisory on its Web site that covers specific measures and the products affected.
"The passwords were only given out when a customer had a specific problem," said Duncan Potter, 3Com's product line director for switching products. "Unfortunately, since these things were publicly posted, there is no accompanying advisory from 3Com saying: 'By the way, you need to change your password.'"
The passwords, intended for use in support situations by customers or 3Com service personnel, were posted to various Net-based email security discussion groups, such as Bugtraq.
3Com did not want to discuss the postings. "I'm not sure we want to comment on that," Potter said. But executives said they believed there was "no malice at all" intended in releasing the information in a public forum.
The possible breaches exposed by the release of the password information have been a hot topic for security and information technology professionals in recent weeks.
3Com said certain products--the CoreBuilder 3500 and the SuperStack II 3900 and 9300--have similar mechanisms, but the special support password is in sync with administrative passwords.
3Com said the hole in security of 3Com products could be particularly acute for customers with no security policies in place, but operations with advanced security administration and firewall capabilities just need to tighten their password policies.
The company also advised customers to change a "community string" element of the Simple Network Management Protocol (SNMP) so that it is known only to authorized staff. The advisory is meant as an SNMP-specific precaution and applies to the company's CoreBuilder 2500, 3500, and 6000, and SuperStack II 2200, 3900, and 9300.