重敢用TPLink managed switch?

Multiple product vulnerabilities: all TP-Link "2-series" switches, all TP-Link VxWorks-based product

Vendor affected: TP-Link (http://tp-link.com)

Products affected:
  * All TP-Link VxWorks-based devices (confirmed by vendor)
  * All "2-series" switches (confirmed by vendor)
  * TL-SG2008 semi-managed switch (confirmed by vendor)
  * TL-SG2216 semi-managed switch (confirmed by vendor)
  * TL-SG2424 semi-managed switch (confirmed by vendor)
  * TL-SG2424P semi-managed switch (confirmed by vendor)
  * TL-SG2452 semi-managed switch (confirmed by vendor)

Vulnerabilities:
  * All previously-reported VxWorks vulnerabilities from 6.6.0 on;
    at the very least:
    * CVE-2013-0716 (confirmed by vendor)
    * CVE-2013-0715 (confirmed by vendor)
    * CVE-2013-0714 (confirmed by vendor)
    * CVE-2013-0713 (confirmed by vendor)
    * CVE-2013-0712 (confirmed by vendor)
    * CVE-2013-0711 (confirmed by vendor)
    * CVE-2010-2967 (confirmed by vendor)
    * CVE-2010-2966 (confirmed by vendor)
    * CVE-2008-2476 (confirmed by vendor)
  * SSLv2 is available and cannot be disabled unless HTTPS is
    completely disabled (allows downgrade attacks)
    (confirmed by vendor)
  * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
    be disabled (allows downgrade attacks)
    (confirmed by vendor)

Design flaws:
  * Telnet is available and cannot be disabled (confirmed by vendor)
  * SSHv1 enabled by default if SSH is enabled (confirmed by vendor)

Vendor response:
  TP-Link are not convinced that these flaws should be repaired.

  TP-Link's Internet presence -- or at least DNS -- is available only
  intermittently. Most emails bounced. Lost contact with vendor, but
  did confirm that development lead is now on holiday and will not
  return for at least a week.

  Initial vendor reaction was to recommend purchase of "3-series"
  switches. Vendor did not offer reasons why "3-series" switches would
  be more secure, apart from lack of telnet service. Vendor confirmed
  that no development time can be allocated to securing "2-series"
  product and all focus has shifted to newer products.

  (TL-SG2008 first product availability July 2014...)

  Vendor deeply confused about security of DES/3DES, MD5, claimed that
  all security is relative. ("...[E]ven SHA-1 can be cracked, they just
  have different security level.")

Fix availability:
  None.

Work-arounds advised:
  None possible. Remove products from network.

source: http://seclists.org/fulldisclosure/2014/Oct/6

有咩牌子switch好呀? HP ?
好似tplink咁平又有無alternatives ?

TOP

有咩牌子switch好呀? HP ?
好似tplink咁平又有無alternatives ?
Bomber 發表於 2014-10-3 09:21



    可以諗下Allied Telesis

TOP

tp-link 好多時出左新hardware revision後
舊版就有咩bug都唔理

TOP

相關文章