CVE-1999-1336

Vulnerability

A denial-of-service vulnerability exists in the telnet service of 3Com HiPer Access Router Card (HiperARC) running software versions 4.0 through 4.2.29. Sending a high volume of Telnet IAC (Interpret As Command) packets to the telnet port triggers a condition that forces the device to reboot unconditionally [1]. The issue is specific to IAC packets rather than other data, and certain IAC patterns are more efficient at causing the reboot [1].

Exploitation

An attacker can exploit this vulnerability from any network position reachable by the HiperARC, including across dial-up connections [1]. No authentication or prior access is required. The attacker simply floods the telnet port (TCP port 23) with a large number of specially crafted IAC packets. The provided exploit code (hiperbomb.c) demonstrates that at least 60,000 packets are typically needed to trigger the reboot [1]. The attack works over all interfaces [1].

Impact

Successful exploitation causes the HiperARC to unconditionally reboot, resulting in a denial of service (DoS). The device becomes unavailable until the reboot completes, disrupting network services routed through the card [1]. No data corruption or persistent compromise is reported.

Mitigation

3Com acknowledged the vulnerability and logged it under MR#11022 [2]. A software patch was planned but not immediately available at the time of disclosure [2]. As a workaround, administrators can restrict telnet access by adding a telnet client access list of trusted hosts and enabling the TELNET CLIENT_ACCESS feature [2]. It is also recommended to disallow telnet sessions from outside the trusted network [2]. The workaround details are available in the 3Com Knowledge Base under document ID 2.0.2107762.2279004 [2].