CERT Advisory CA-2001-08

[babay at mediaone.net (Brian Bay)]

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2001-08 Multiple Vulnerabilities in Alcatel ADSL
Modems

   Original release date: April 10, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this
file.

Systems Affected

     * Alcatel Speed Touch Home ADSL Modem
     * Alcatel 1000 ADSL Network Termination Device

Overview

   The San Diego Supercomputer Center (SDSC) has recently
discovered
   several vulnerabilities in the Alcatel Speed Touch Asymmetric
Digital
   Subscriber Line (ADSL) modem. These vulnerabilities are the
result of
   weak authentication and access control policies and exploiting
them
   will lead to one or more of the following: unauthorized
access,
   unauthorized monitoring, information leakage, denial of
service, and
   permanent disability of affected devices.

   The SDSC has published additional information regarding these
   vulnerabilities at

          http://security.sdsc.edu/self-help/alcatel/

I. Description

   VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP
access via
   Bounce Attacks

   Alcatel ADSL modems allow unauthenticated Trivial File
Transfer
   Protocol (TFTP) access from the local area network (LAN) as a
method
   to update firmware and to make configuration changes to the
device. In
   conjunction with one of several common vulnerabilities, a
remote
   attacker may be able to gain unauthenticated access as well.

   For example, if a system on the LAN side of the ADSL modem has
the UDP
   echo service enabled, a remote attacker may be able to spoof
packets
   such that the ADSL modem will believe that this traffic
originated
   from the local network. By sending a packet to the UDP echo
service
   with a spoofed source port of 69 (TFTP) and a source address
of
   255.255.255.255, the system providing the echo service can be
tricked
   into sending a TFTP packet to the ADSL modem. If a system
offering
   this service is accessible from the Internet it may be
possible to use
   the system to attack the ADSL modem.

   Any mechanism for "bouncing" UDP packets off systems on the
LAN side
   of the network may potentially allow a remote attacker to gain
TFTP
   access to the device. Gaining TFTP access to the device allows
the
   remote attacker to essentially gain complete control of the
device. 

   VU#243592 - Alcatel ADSL modems provide EXPERT administrative
account
   with an easily reversible encrypted password

   Alcatel ADSL modems contain a special account (EXPERT) for
gaining
   privileged access to the device. This account is secured via a
   challenge-response password authentication mechanism. While
the use of
   such a mechanism is commendable, the algorithm used is not
   sufficiently strong. Attackers who know the algorithm used to
compute
   the response can compute the correct response using
information given
   to them during the login process.

   Because the EXPERT account is accessible via TELNET, HTTP, and
FTP,
   the ADSL modem must have an IP address that is accessible from
the
   Internet to exploit this vulnerability. Alcatel ADSL products
do not
   enable this feature over the wide area network (WAN) interface
by
   default. Note however, that an attacker with TFTP access may
be able
   to reconfigure the device to enable this feature.

   This authentication mechanism is present even if the user has
set a
   user supplied password.

   Any problem or vulnerability on your internal network that
allows an
   intruder to communicate with the modem may lead to its
compromise,
   including Trojan horses, compromised systems, or other
"bounce"
   vulnerabilities like the FTP bounce vulnerability described in

          http://www.cert.org/tech_tips/ftp_port_attacks.html

   VU#212088 - Alcatel ADSL modems contain a null default
password

   The Alcatel Speed Touch ADSL modem ships with a null default
password,
   permitting unauthenticated access via TELNET, HTTP, and FTP.
As with
   the EXPERT account vulnerability, the device must have an
externally
   accessible IP address. 

   VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP
access
   via physical access to the WAN interface

   To allow your ISP to upgrade the firmware of the ADSL modem
remotely,
   unauthenticated TFTP access is provided to users with physical
access
   to the wire on the WAN side of the modem. While this access is
   normally used by your ISP, it could also be abused by an
attacker with
   physical access to the wire outside of your home.

II. Impact

   VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP
access via
   Bounce Attacks

   A remote attacker may be able to gain access to perform TFTP
   operations. These operations include

     * inspection of configuration data
     * recovery and setting of passwords
     * inspection and updates to the firmware
     * destructive updates to the firmware
     * malicious custom updates to the firmware

   Note that the Alcatel ADSL modems do not provide any mechanism
for
   determining the validity of firmware updates, so a remote
attacker may
   be able to install custom firmware that operated as a
distributed
   denial of service client or a network sniffer. Similarly, an
attacker
   could produce an invalid firmware revision that would disable
the
   device completely, leaving victims no alternative but to
return the
   disabled unit to the manufacturer. 

   VU#243592 - Alcatel ADSL modems provide EXPERT administrative
account
   with an easily reversible encrypted password

   Attackers who are able to connect to the ADSL modem can enter
a
   predictable user ID and password to gain privileged access to
the
   device. This access can be used to reconfigure the device,
potentially
   introducing additional security weaknesses. 

   VU#212088 - Alcatel ADSL modems contain a null default
password

   Unless the user or Internet service provider changes the
default
   password of an affected device, a remote attacker can access
the modem
   via TELNET, HTTP, or FTP. In the case of TELNET and HTTP, this
   vulnerability grants the attacker read and write access to
device
   configuration. For FTP, this vulnerability allows the attacker
to
   browse the file structure of the affected device. 

   VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP
access
   via physical access to the WAN interface

   An attacker with physical access to your wire may be able to
gain
   unauthenticated TFTP access to the device with the same
impacts as
   described in the "bounce" vulnerability (VU#211736).

III. Solution

Set a password for your ADSL modem

          Because the Alcatel ADSL modems ship without a password
by
          default, an attacker may be able to gain access if this
          password has not been set. Users are encouraged to set
a
          password when the device is first configured. This
solution
          does not protect you from all of the vulnerabilities
described
          above. In particular, a user supplied password does not
prevent
          the use of the EXPERT account.

Block malicious traffic at your network perimeter

          If you have a home firewall product you may be able to
prevent
          the TFTP UDP bounce attack by filtering one or more of
the
          following types of traffic:

          + packets with spoofed source addresses
          + packets with a source address of 255.255.255.255
          + packets with a destination port of echo (or other
"simple"
            services)

          Note that intruders who are able to gain access to your
local
          area network may be able to gain unauthenticated TFTP
access
          using mechanisms other than the TFTP UDP bounce method.

Appendix A. - Vendor Information

   This appendix contains information provided by vendors for
this
   advisory. When vendors report new information to the CERT/CC,
we
   update this section and note the changes in our revision
history. If a
   particular vendor is not listed below, we have not received
their
   comments.

Alcatel

          ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION
          About security of Modems and Networks

          Security issues can be divided into two main areas:
network
          security and user security, more particularly user's
content
          security.

          Wide Area Network (WAN) security is about protecting a
network
          from malicious usage. Security can be guaranteed at all
network
          levels except at Customer Premise Equipment (CPE),
since such
          equipment is not directly controlled by an Operator or
an ISP.

          This is true for any type of CPE, such as telephones,
analogue,
          DSL or cable modems and fax machines. Security can only
be
          guaranteed at the network level for an Operator's,
ISP's or
          private network. This means that a network should stay
          operational at all times. Alcatel has built this type
of
          security in its DSLAM (operated by the service
provider).

          User security is about protecting the content and local
area
          network of an end-user. This type of security has to be
          implemented on Local Area Network (LAN) or PC level at
customer
          premises.

          This is standard practice for any network connection
(leased
          lines, cable modem, DSL). Such modems provide
connectivity not
          security. Security of content for the user can be
reinforced at
          the LAN level by installing a dedicated firewall HW/SW,
either
          on the server or on the PC or by installing a dedicated
          firewall device, although Alcatel provides also DSL
modems
          which have firewall security Statement. Private and LAN
          security is in the responsibility of the user.

          There are many soft and hardware products on the market
to
          ensure security, including those from Alcatel.

          Modem security

          Firstly, people have been able to alter firmware on the
modem.
          This is a standard feature foreseen in some of the
Speed Touch
          modems to allow SW upgrades locally or remotely. Access
from
          the LAN interface into the modem is not a security
problem,
          since the modem belongs to the person who is using it.
However,
          via a protection mechanism a feature is foreseen so
that nobody
          can do that remotely (or via the WAN/DSL interface).
This
          protection mechanism guarantees that nobody from
outside can
          access the modem and make changes.

          This protection can be switched off locally by the
modem owner,
          in case the service provider wants to do upgrades. This
process
          is normally managed by the service provider, and the
service
          provider explains to the end-user how to disactivate
the
          protection and re-activate again. To avoid security
problems,
          this feature is not explained in the user manual.

          Alcatel ships all modems with the protection activated,
          however, it's easy for a modem owner to disactivate the
          protection, since this is documented on the Alcatel
website.
          However, if a user disactivates this, he's also
responsible for
          activating it again.

          Secondly, the method of getting into the modem is more
advanced
          and it is a standard practice used by hackers. The way
it works
          is that they fake local communication via the WAN
interface by
          using an ECHO port on a UNIX server connected to LAN
network.
          The modem assumes communication comes from the modem
owner and
          is secure. However, this is an old security problem in
all data
          communication networks and is solved by means of a
firewall.

          Firewall's are standard practice for each well managed
          communication network. Recommendation that Alcatel
gives is to
          install a dedicated firewall or firewall software, or
make use
          of the Alcatel Speed Touch modem with Firewall
capabilities.

          (See URL:
http://www.alcatel.com/consumer/dsl/prodprofw.htm)
    
_________________________________________________________________

   The CERT Coordination Center would like to thank Tom Perrine
and
   Tsutomu Shimomura of the San Diego Supercomputer Center for
notifying
   us about this problem and their help in constructing this
advisory.
    
_________________________________________________________________

   Authors: This document is based on research by the SDSC and
was
   written by Cory Cohen, Jeffrey P. Lanza, and John Shaffer.
  
______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2001-08.html
  
______________________________________________________________________

CERT/CC Contact Information

   Email: cert at cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during
other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by
email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for
more
   information.

Getting security information

   CERT publications and other security information are available
from
   our web site

   http://www.cert.org/

   To subscribe to the CERT mailing list for advisories and
bulletins,
   send email to majordomo at cert.org. Please include in the body
of your
   message

   subscribe cert-advisory

   * "CERT" and "CERT Coordination Center" are registered in the
U.S.
   Patent and Trademark Office.
  
______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the
Software
   Engineering Institute is furnished on an "as is" basis.
Carnegie
   Mellon University makes no warranties of any kind, either
expressed or
   implied as to any matter including, but not limited to,
warranty of
   fitness for a particular purpose or merchantability,
exclusivity or
   results obtained from use of the material. Carnegie Mellon
University
   does not make any warranty of any kind with respect to freedom
from
   patent, trademark, or copyright infringement.
    
_________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2001 Carnegie Mellon University.

   Revision History
April 10, 2001:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBOtOWzwYcfu8gsZJZAQH4GQP+MpvNtGJX7r+59NaLZFS/GzT0cW8OzE9A
YOrHy1glfgb1WZWjAcuiAqwP+yG4piOwkHfGfvTjIPiM/PrhDt86FjIeblXayS9X
On1VruE8hLM4bPFUs9+5Kq6XsMC5Y1hJxegfg0oJVWsb+9Dd0cyU0IYZrjdW7Lww
FSIbsHoMWG0=
=+4q7
-----END PGP SIGNATURE-----
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).