Statica
04-10-2001, 11:57 PM
<b>The Alcatel SpeedTouch ADSL Modem was found to be make the users systems vulnerable.</b>
URL: http://security.sdsc.edu/self-help/alcatel/
CERT Advisory: http://www.cert.org/advisories/CA-2001-08.html
<SUB>
CERTŪ Advisory CA-2001-08 Multiple Vulnerabilities in Alcatel ADSL Modems
Original release date: April 10, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Alcatel Speed Touch Home ADSL Modem
Alcatel 1000 ADSL Network Termination Device
Overview
The San Diego Supercomputer Center (SDSC) has recently discovered several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital Subscriber Line (ADSL) modem. These vulnerabilities are the result of weak authentication and access control policies and exploiting them will lead to one or more of the following: unauthorized access, unauthorized monitoring, information leakage, denial of service, and permanent disability of affected devices.
The SDSC has published additional information regarding these vulnerabilities at
http://security.sdsc.edu/self-help/alcatel/
I. Description
VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method to update firmware and to make configuration changes to the device. In conjunction with one of several common vulnerabilities, a remote attacker may be able to gain unauthenticated access as well.
For example, if a system on the LAN side of the ADSL modem has the UDP echo service enabled, a remote attacker may be able to spoof packets such that the ADSL modem will believe that this traffic originated from the local network. By sending a packet to the UDP echo service with a spoofed source port of 69 (TFTP) and a source address of 255.255.255.255, the system providing the echo service can be tricked into sending a TFTP packet to the ADSL modem. If a system offering this service is accessible from the Internet it may be possible to use the system to attack the ADSL modem.
Any mechanism for "bouncing" UDP packets off systems on the LAN side of the network may potentially allow a remote attacker to gain TFTP access to the device. Gaining TFTP access to the device allows the remote attacker to essentially gain complete control of the device.
VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password
Alcatel ADSL modems contain a special account (EXPERT) for gaining privileged access to the device. This account is secured via a challenge-response password authentication mechanism. While the use of such a mechanism is commendable, the algorithm used is not sufficiently strong. Attackers who know the algorithm used to compute the response can compute the correct response using information given to them during the login process.
Because the EXPERT account is accessible via TELNET, HTTP, and FTP, the ADSL modem must have an IP address that is accessible from the Internet to exploit this vulnerability. Alcatel ADSL products do not enable this feature over the wide area network (WAN) interface by default. Note however, that an attacker with TFTP access may be able to reconfigure the device to enable this feature.
This authentication mechanism is present even if the user has set a user supplied password.
Any problem or vulnerability on your internal network that allows an intruder to communicate with the modem may lead to its compromise, including Trojan horses, compromised systems, or other "bounce" vulnerabilities like the FTP bounce vulnerability described in
http://www.cert.org/tech_tips/ftp_port_attacks.html
VU#212088 - Alcatel ADSL modems contain a null default password
The Alcatel Speed Touch ADSL modem ships with a null default password, permitting unauthenticated access via TELNET, HTTP, and FTP. As with the EXPERT account vulnerability, the device must have an externally accessible IP address.
VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface
To allow your ISP to upgrade the firmware of the ADSL modem remotely, unauthenticated TFTP access is provided to users with physical access to the wire on the WAN side of the modem. While this access is normally used by your ISP, it could also be abused by an attacker with physical access to the wire outside of your home.
II. Impact
VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
A remote attacker may be able to gain access to perform TFTP operations. These operations include
inspection of configuration data
recovery and setting of passwords
inspection and updates to the firmware
destructive updates to the firmware
malicious custom updates to the firmware
Note that the Alcatel ADSL modems do not provide any mechanism for determining the validity of firmware updates, so a remote attacker may be able to install custom firmware that operated as a distributed denial of service client or a network sniffer. Similarly, an attacker could produce an invalid firmware revision that would disable the device completely, leaving victims no alternative but to return the disabled unit to the manufacturer.
VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password
Attackers who are able to connect to the ADSL modem can enter a predictable user ID and password to gain privileged access to the device. This access can be used to reconfigure the device, potentially introducing additional security weaknesses.
VU#212088 - Alcatel ADSL modems contain a null default password
Unless the user or Internet service provider changes the default password of an affected device, a remote attacker can access the modem via TELNET, HTTP, or FTP. In the case of TELNET and HTTP, this vulnerability grants the attacker read and write access to device configuration. For FTP, this vulnerability allows the attacker to browse the file structure of the affected device.
VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface
An attacker with physical access to your wire may be able to gain unauthenticated TFTP access to the device with the same impacts as described in the "bounce" vulnerability (VU#211736).
III. Solution
Set a password for your ADSL modem
Because the Alcatel ADSL modems ship without a password by default, an attacker may be able to gain access if this password has not been set. Users are encouraged to set a password when the device is first configured. This solution does not protect you from all of the vulnerabilities described above. In particular, a user supplied password does not prevent the use of the EXPERT account.
Block malicious traffic at your network perimeter
If you have a home firewall product you may be able to prevent the TFTP UDP bounce attack by filtering one or more of the following types of traffic:
packets with spoofed source addresses
packets with a source address of 255.255.255.255
packets with a destination port of echo (or other "simple" services)
Note that intruders who are able to gain access to your local area network may be able to gain unauthenticated TFTP access using mechanisms other than the TFTP UDP bounce method.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Alcatel
ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
About security of Modems and Networks
Security issues can be divided into two main areas: network security and user security, more particularly user's content security.
Wide Area Network (WAN) security is about protecting a network from malicious usage. Security can be guaranteed at all network levels except at Customer Premise Equipment (CPE), since such equipment is not directly controlled by an Operator or an ISP.
This is true for any type of CPE, such as telephones, analogue, DSL or cable modems and fax machines. Security can only be guaranteed at the network level for an Operator's, ISP's or private network. This means that a network should stay operational at all times. Alcatel has built this type of security in its DSLAM (operated by the service provider).
User security is about protecting the content and local area network of an end-user. This type of security has to be implemented on Local Area Network (LAN) or PC level at customer premises.
This is standard practice for any network connection (leased lines, cable modem, DSL). Such modems provide connectivity not security. Security of content for the user can be reinforced at the LAN level by installing a dedicated firewall HW/SW, either on the server or on the PC or by installing a dedicated firewall device, although Alcatel provides also DSL modems which have firewall security Statement. Private and LAN security is in the responsibility of the user.
There are many soft and hardware products on the market to ensure security, including those from Alcatel.
Modem security
Firstly, people have been able to alter firmware on the modem. This is a standard feature foreseen in some of the Speed Touch modems to allow SW upgrades locally or remotely. Access from the LAN interface into the modem is not a security problem, since the modem belongs to the person who is using it. However, via a protection mechanism a feature is foreseen so that nobody can do that remotely (or via the WAN/DSL interface). This protection mechanism guarantees that nobody from outside can access the modem and make changes.
This protection can be switched off locally by the modem owner, in case the service provider wants to do upgrades. This process is normally managed by the service provider, and the service provider explains to the end-user how to disactivate the protection and re-activate again. To avoid security problems, this feature is not explained in the user manual.
Alcatel ships all modems with the protection activated, however, it's easy for a modem owner to disactivate the protection, since this is documented on the Alcatel website. However, if a user disactivates this, he's also responsible for activating it again.
Secondly, the method of getting into the modem is more advanced and it is a standard practice used by hackers. The way it works is that they fake local communication via the WAN interface by using an ECHO port on a UNIX server connected to LAN network. The modem assumes communication comes from the modem owner and is secure. However, this is an old security problem in all data communication networks and is solved by means of a firewall.
Firewall's are standard practice for each well managed communication network. Recommendation that Alcatel gives is to install a dedicated firewall or firewall software, or make use of the Alcatel Speed Touch modem with Firewall capabilities.
(See URL: http://www.alcatel.com/consumer/dsl/prodprofw.htm)
--------------------------------------------------------------------------------
The CERT Coordination Center would like to thank Tom Perrine and Tsutomu Shimomura of the San Diego Supercomputer Center for notifying us about this problem and their help in constructing this advisory.
--------------------------------------------------------------------------------
Authors: This document is based on research by the SDSC and was written by Cory Cohen, Jeffrey P. Lanza, and John Shaffer.
--------------------------------------------------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2001-08.html
--------------------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQCNAznI+40BeAEEAKITlTfmLNMpttqsF+KtkrroEnbUT/uCXJlZRm5RJk5lTeP9
Wr33i7hp4WNFt4TPZFIL8zW9/G20fktiK1LUYtsrjovYLUcpXp7xerH/Az1EJJy8
mjCH4JmAwUfK49K/13L94/2eO1bFhx5De/WCmpMbHlqKVdwaBQYcfu8gsZJZAAUR
tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAwUQ
Ocj7jQYcfu8gsZJZAQGlewP/ZJeg5B4kcMn1utgKvPAgPS9ltmAUYR0a5EZI/kA7
pb0e1Qkht2B95mNYHm8Yxr7ZNchKWdBfsOEcn46gUMulaBtwuSqOOrRYCs5S27/c
gDFSuH/wlytDhqL4Dv1HfGZA9Deb/pPKNZ6Heiae97uQomkExRs0X6K95x3lvoXh
5heJAEYEEBECAAYFAjnI/KsACgkQXYr3tqcKhGOPtQCg0kdnXCg+IqHyvQhJlXEN
yLnxPy0AoJzO9leYzCcQMYJwFZ4bCY0ZzsF0iQBGBBARAgAGBQI5yPzSAAoJEFr9
kb5qlZHQ4HgAoKQmRj1j/JNLz1l9DFbEaWXDbs0AAKDl9BEeiRXAV+SXawdtKkG2
H8bRRw==
=X3rw
-----END PGP PUBLIC KEY BLOCK-----
</SUB>
<HR>
URL: http://security.sdsc.edu/self-help/alcatel/
CERT Advisory: http://www.cert.org/advisories/CA-2001-08.html
<SUB>
CERTŪ Advisory CA-2001-08 Multiple Vulnerabilities in Alcatel ADSL Modems
Original release date: April 10, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Alcatel Speed Touch Home ADSL Modem
Alcatel 1000 ADSL Network Termination Device
Overview
The San Diego Supercomputer Center (SDSC) has recently discovered several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital Subscriber Line (ADSL) modem. These vulnerabilities are the result of weak authentication and access control policies and exploiting them will lead to one or more of the following: unauthorized access, unauthorized monitoring, information leakage, denial of service, and permanent disability of affected devices.
The SDSC has published additional information regarding these vulnerabilities at
http://security.sdsc.edu/self-help/alcatel/
I. Description
VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method to update firmware and to make configuration changes to the device. In conjunction with one of several common vulnerabilities, a remote attacker may be able to gain unauthenticated access as well.
For example, if a system on the LAN side of the ADSL modem has the UDP echo service enabled, a remote attacker may be able to spoof packets such that the ADSL modem will believe that this traffic originated from the local network. By sending a packet to the UDP echo service with a spoofed source port of 69 (TFTP) and a source address of 255.255.255.255, the system providing the echo service can be tricked into sending a TFTP packet to the ADSL modem. If a system offering this service is accessible from the Internet it may be possible to use the system to attack the ADSL modem.
Any mechanism for "bouncing" UDP packets off systems on the LAN side of the network may potentially allow a remote attacker to gain TFTP access to the device. Gaining TFTP access to the device allows the remote attacker to essentially gain complete control of the device.
VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password
Alcatel ADSL modems contain a special account (EXPERT) for gaining privileged access to the device. This account is secured via a challenge-response password authentication mechanism. While the use of such a mechanism is commendable, the algorithm used is not sufficiently strong. Attackers who know the algorithm used to compute the response can compute the correct response using information given to them during the login process.
Because the EXPERT account is accessible via TELNET, HTTP, and FTP, the ADSL modem must have an IP address that is accessible from the Internet to exploit this vulnerability. Alcatel ADSL products do not enable this feature over the wide area network (WAN) interface by default. Note however, that an attacker with TFTP access may be able to reconfigure the device to enable this feature.
This authentication mechanism is present even if the user has set a user supplied password.
Any problem or vulnerability on your internal network that allows an intruder to communicate with the modem may lead to its compromise, including Trojan horses, compromised systems, or other "bounce" vulnerabilities like the FTP bounce vulnerability described in
http://www.cert.org/tech_tips/ftp_port_attacks.html
VU#212088 - Alcatel ADSL modems contain a null default password
The Alcatel Speed Touch ADSL modem ships with a null default password, permitting unauthenticated access via TELNET, HTTP, and FTP. As with the EXPERT account vulnerability, the device must have an externally accessible IP address.
VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface
To allow your ISP to upgrade the firmware of the ADSL modem remotely, unauthenticated TFTP access is provided to users with physical access to the wire on the WAN side of the modem. While this access is normally used by your ISP, it could also be abused by an attacker with physical access to the wire outside of your home.
II. Impact
VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
A remote attacker may be able to gain access to perform TFTP operations. These operations include
inspection of configuration data
recovery and setting of passwords
inspection and updates to the firmware
destructive updates to the firmware
malicious custom updates to the firmware
Note that the Alcatel ADSL modems do not provide any mechanism for determining the validity of firmware updates, so a remote attacker may be able to install custom firmware that operated as a distributed denial of service client or a network sniffer. Similarly, an attacker could produce an invalid firmware revision that would disable the device completely, leaving victims no alternative but to return the disabled unit to the manufacturer.
VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password
Attackers who are able to connect to the ADSL modem can enter a predictable user ID and password to gain privileged access to the device. This access can be used to reconfigure the device, potentially introducing additional security weaknesses.
VU#212088 - Alcatel ADSL modems contain a null default password
Unless the user or Internet service provider changes the default password of an affected device, a remote attacker can access the modem via TELNET, HTTP, or FTP. In the case of TELNET and HTTP, this vulnerability grants the attacker read and write access to device configuration. For FTP, this vulnerability allows the attacker to browse the file structure of the affected device.
VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface
An attacker with physical access to your wire may be able to gain unauthenticated TFTP access to the device with the same impacts as described in the "bounce" vulnerability (VU#211736).
III. Solution
Set a password for your ADSL modem
Because the Alcatel ADSL modems ship without a password by default, an attacker may be able to gain access if this password has not been set. Users are encouraged to set a password when the device is first configured. This solution does not protect you from all of the vulnerabilities described above. In particular, a user supplied password does not prevent the use of the EXPERT account.
Block malicious traffic at your network perimeter
If you have a home firewall product you may be able to prevent the TFTP UDP bounce attack by filtering one or more of the following types of traffic:
packets with spoofed source addresses
packets with a source address of 255.255.255.255
packets with a destination port of echo (or other "simple" services)
Note that intruders who are able to gain access to your local area network may be able to gain unauthenticated TFTP access using mechanisms other than the TFTP UDP bounce method.
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
Alcatel
ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
About security of Modems and Networks
Security issues can be divided into two main areas: network security and user security, more particularly user's content security.
Wide Area Network (WAN) security is about protecting a network from malicious usage. Security can be guaranteed at all network levels except at Customer Premise Equipment (CPE), since such equipment is not directly controlled by an Operator or an ISP.
This is true for any type of CPE, such as telephones, analogue, DSL or cable modems and fax machines. Security can only be guaranteed at the network level for an Operator's, ISP's or private network. This means that a network should stay operational at all times. Alcatel has built this type of security in its DSLAM (operated by the service provider).
User security is about protecting the content and local area network of an end-user. This type of security has to be implemented on Local Area Network (LAN) or PC level at customer premises.
This is standard practice for any network connection (leased lines, cable modem, DSL). Such modems provide connectivity not security. Security of content for the user can be reinforced at the LAN level by installing a dedicated firewall HW/SW, either on the server or on the PC or by installing a dedicated firewall device, although Alcatel provides also DSL modems which have firewall security Statement. Private and LAN security is in the responsibility of the user.
There are many soft and hardware products on the market to ensure security, including those from Alcatel.
Modem security
Firstly, people have been able to alter firmware on the modem. This is a standard feature foreseen in some of the Speed Touch modems to allow SW upgrades locally or remotely. Access from the LAN interface into the modem is not a security problem, since the modem belongs to the person who is using it. However, via a protection mechanism a feature is foreseen so that nobody can do that remotely (or via the WAN/DSL interface). This protection mechanism guarantees that nobody from outside can access the modem and make changes.
This protection can be switched off locally by the modem owner, in case the service provider wants to do upgrades. This process is normally managed by the service provider, and the service provider explains to the end-user how to disactivate the protection and re-activate again. To avoid security problems, this feature is not explained in the user manual.
Alcatel ships all modems with the protection activated, however, it's easy for a modem owner to disactivate the protection, since this is documented on the Alcatel website. However, if a user disactivates this, he's also responsible for activating it again.
Secondly, the method of getting into the modem is more advanced and it is a standard practice used by hackers. The way it works is that they fake local communication via the WAN interface by using an ECHO port on a UNIX server connected to LAN network. The modem assumes communication comes from the modem owner and is secure. However, this is an old security problem in all data communication networks and is solved by means of a firewall.
Firewall's are standard practice for each well managed communication network. Recommendation that Alcatel gives is to install a dedicated firewall or firewall software, or make use of the Alcatel Speed Touch modem with Firewall capabilities.
(See URL: http://www.alcatel.com/consumer/dsl/prodprofw.htm)
--------------------------------------------------------------------------------
The CERT Coordination Center would like to thank Tom Perrine and Tsutomu Shimomura of the San Diego Supercomputer Center for notifying us about this problem and their help in constructing this advisory.
--------------------------------------------------------------------------------
Authors: This document is based on research by the SDSC and was written by Cory Cohen, Jeffrey P. Lanza, and John Shaffer.
--------------------------------------------------------------------------------
This document is available from: http://www.cert.org/advisories/CA-2001-08.html
--------------------------------------------------------------------------------
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
mQCNAznI+40BeAEEAKITlTfmLNMpttqsF+KtkrroEnbUT/uCXJlZRm5RJk5lTeP9
Wr33i7hp4WNFt4TPZFIL8zW9/G20fktiK1LUYtsrjovYLUcpXp7xerH/Az1EJJy8
mjCH4JmAwUfK49K/13L94/2eO1bFhx5De/WCmpMbHlqKVdwaBQYcfu8gsZJZAAUR
tChDRVJUIENvb3JkaW5hdGlvbiBDZW50ZXIgPGNlcnRAY2VydC5vcmc+iQCVAwUQ
Ocj7jQYcfu8gsZJZAQGlewP/ZJeg5B4kcMn1utgKvPAgPS9ltmAUYR0a5EZI/kA7
pb0e1Qkht2B95mNYHm8Yxr7ZNchKWdBfsOEcn46gUMulaBtwuSqOOrRYCs5S27/c
gDFSuH/wlytDhqL4Dv1HfGZA9Deb/pPKNZ6Heiae97uQomkExRs0X6K95x3lvoXh
5heJAEYEEBECAAYFAjnI/KsACgkQXYr3tqcKhGOPtQCg0kdnXCg+IqHyvQhJlXEN
yLnxPy0AoJzO9leYzCcQMYJwFZ4bCY0ZzsF0iQBGBBARAgAGBQI5yPzSAAoJEFr9
kb5qlZHQ4HgAoKQmRj1j/JNLz1l9DFbEaWXDbs0AAKDl9BEeiRXAV+SXawdtKkG2
H8bRRw==
=X3rw
-----END PGP PUBLIC KEY BLOCK-----
</SUB>
<HR>