Forums

SEC Consult SA-20181130-0 :: Multiple Vulnerabilities in Siglent Technologies SDS 1202X-E Digital Oscilloscope

Started by Jim Whitby November 30, 2018
Just got a news flash on this:

https://seclists.org/fulldisclosure/2018/Nov/68

Apperantly it uses Telnet for the network connections, Easy root access 
to anyone.
fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby:
> Just got a news flash on this: > > https://seclists.org/fulldisclosure/2018/Nov/68 > > Apperantly it uses Telnet for the network connections, Easy root access > to anyone.
anyone on the local network so is it really an issue?
On Fri, 30 Nov 2018 13:37:59 -0800, Lasse Langwadt Christensen wrote:

> fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: >> Just got a news flash on this: >> >> https://seclists.org/fulldisclosure/2018/Nov/68 >> >> Apperantly it uses Telnet for the network connections, Easy root access >> to anyone. > > anyone on the local network so is it really an issue?
Depends on how well the "local" network is firewalled. Are there possibly uh... strange people on your local net?
On Fri, 30 Nov 2018 13:37:59 -0800 (PST), Lasse Langwadt Christensen
<langwadt@fonz.dk> wrote:

>fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: >> Just got a news flash on this: >> >> https://seclists.org/fulldisclosure/2018/Nov/68 >> >> Apperantly it uses Telnet for the network connections, Easy root access >> to anyone. > >anyone on the local network so is it really an issue?
We run our test gear on a local network, with its own PC ethernet card and maybe a hub, not connected to our company network or to the world. Sometimes USB. They should not have hazards like that, but it wouldn't be a big deal to us. Somebody inside our test department isn't going to hack a scope, or hit it with a hammer. Our giant LeCroy scope runs Windows 7, brousers and all. -- John Larkin Highland Technology, Inc picosecond timing precision measurement jlarkin att highlandtechnology dott com http://www.highlandtechnology.com
On Fri, 30 Nov 2018 14:47:09 -0800, John Larkin wrote:

> On Fri, 30 Nov 2018 13:37:59 -0800 (PST), Lasse Langwadt Christensen > <langwadt@fonz.dk> wrote: > >>fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: >>> Just got a news flash on this: >>> >>> https://seclists.org/fulldisclosure/2018/Nov/68 >>> >>> Apperantly it uses Telnet for the network connections, Easy root >>> access to anyone. >> >>anyone on the local network so is it really an issue? > > We run our test gear on a local network, with its own PC ethernet card > and maybe a hub, not connected to our company network or to the world. > Sometimes USB. > > They should not have hazards like that, but it wouldn't be a big deal to > us. Somebody inside our test department isn't going to hack a scope, or > hit it with a hammer. > > Our giant LeCroy scope runs Windows 7, brousers and all.
I doubt your lecroy has a telnet server running it. Telnet server the biggest security hole in *any* network.
On Friday, November 30, 2018 at 5:47:18 PM UTC-5, John Larkin wrote:
> On Fri, 30 Nov 2018 13:37:59 -0800 (PST), Lasse Langwadt Christensen > <langwadt@fonz.dk> wrote: > > >fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: > >> Just got a news flash on this: > >> > >> https://seclists.org/fulldisclosure/2018/Nov/68 > >> > >> Apperantly it uses Telnet for the network connections, Easy root access > >> to anyone. > > > >anyone on the local network so is it really an issue? > > We run our test gear on a local network, with its own PC ethernet card > and maybe a hub, not connected to our company network or to the world. > Sometimes USB. > > They should not have hazards like that, but it wouldn't be a big deal > to us. Somebody inside our test department isn't going to hack a > scope, or hit it with a hammer. > > Our giant LeCroy scope runs Windows 7, brousers and all.
Sounds like a great reason to use a headless scope over USB 3.0 to a PC. Heck, better yet to ditch Windows and use Linux. There's a company that makes a good, inexpensive 32 channel logic analyzer this way. But they still don't support Linux, otherwise I would have bought one a long time ago. Rick C. Tesla referral code - https://ts.la/richard11209
s&oslash;ndag den 2. december 2018 kl. 15.29.29 UTC+1 skrev gnuarm.del...@gmail.com:
> On Friday, November 30, 2018 at 5:47:18 PM UTC-5, John Larkin wrote: > > On Fri, 30 Nov 2018 13:37:59 -0800 (PST), Lasse Langwadt Christensen > > <langwadt@fonz.dk> wrote: > > > > >fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: > > >> Just got a news flash on this: > > >> > > >> https://seclists.org/fulldisclosure/2018/Nov/68 > > >> > > >> Apperantly it uses Telnet for the network connections, Easy root access > > >> to anyone. > > > > > >anyone on the local network so is it really an issue? > > > > We run our test gear on a local network, with its own PC ethernet card > > and maybe a hub, not connected to our company network or to the world. > > Sometimes USB. > > > > They should not have hazards like that, but it wouldn't be a big deal > > to us. Somebody inside our test department isn't going to hack a > > scope, or hit it with a hammer. > > > > Our giant LeCroy scope runs Windows 7, brousers and all. > > Sounds like a great reason to use a headless scope over USB 3.0 to a PC. Heck, better yet to ditch Windows and use Linux. > > There's a company that makes a good, inexpensive 32 channel logic analyzer this way. But they still don't support Linux, otherwise I would have bought one a long time ago. >
quite a few supported by sigrok, https://sigrok.org/wiki/Supported_hardware#Logic_analyzers
On Sun, 2 Dec 2018 06:29:24 -0800 (PST),
gnuarm.deletethisbit@gmail.com wrote:

>On Friday, November 30, 2018 at 5:47:18 PM UTC-5, John Larkin wrote: >> On Fri, 30 Nov 2018 13:37:59 -0800 (PST), Lasse Langwadt Christensen >> <langwadt@fonz.dk> wrote: >> >> >fredag den 30. november 2018 kl. 22.34.11 UTC+1 skrev Jim Whitby: >> >> Just got a news flash on this: >> >> >> >> https://seclists.org/fulldisclosure/2018/Nov/68 >> >> >> >> Apperantly it uses Telnet for the network connections, Easy root access >> >> to anyone. >> > >> >anyone on the local network so is it really an issue? >> >> We run our test gear on a local network, with its own PC ethernet card >> and maybe a hub, not connected to our company network or to the world. >> Sometimes USB. >> >> They should not have hazards like that, but it wouldn't be a big deal >> to us. Somebody inside our test department isn't going to hack a >> scope, or hit it with a hammer. >> >> Our giant LeCroy scope runs Windows 7, brousers and all. > >Sounds like a great reason to use a headless scope over USB 3.0 to a PC. Heck, better yet to ditch Windows and use Linux. > >There's a company that makes a good, inexpensive 32 channel logic analyzer this way. But they still don't support Linux, otherwise I would have bought one a long time ago.
Why? I haven't used a logic analyzer in, um, 30 years.