[NEWS] Com21 Cable Modem Configuration File Feeding Vulnerability

From: support@securiteam.com
Date: 11/07/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 7 Nov 2002 10:55:16 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Com21 Cable Modem Configuration File Feeding Vulnerability
------------------------------------------------------------------------

SUMMARY

It is possible for an end-user to feed the <http://www.com21.com> Com21's
cable modem with its own configuration file, and thus, specifying the
number of CPE, download/upload speeds, and a few other options.

DETAILS

Vulnerable systems:
 * Com21 DOXport 1110 cable modems with software version 2.1.1.106

Immune systems:
 * Com21 DOXport 1110 cable modems with software version 2.1.1.108.003

With a given program, an end-user is able to create cable modem
configuration files following the DOCSIS standard. With a vulnerable Com21
cable modem, the user can create a TFTP, DCHP and BOOTP server to
successfully feed the cable modem with its own configuration file. David
used a program called <http://docsis.sourceforge.net/> docsis to first
create the configuration file.

Then, David used <http://www.tcpdump.org/> tcpdump to capture packets
from the wire to discover what boot options were required for his cable
modem. David also used an SNMP client to discover the internal IP of his
cable modem from the main router. Knowing this, David was also able to
view the cable modem web page as well as change SNMP options.

With all this load of information, David created a DHCP server (David also
added an IP alias to his Ethernet card so that it could give the internal
IP to the cable modem), a BOOTP server and finally a TFTP server. After a
couple of hard reboots of his cable modem, David could see in his TFTP
server logs that the device downloaded its configuration file from his
server. David then tried to access the Internet and it worked as normally.

Solution:
Upgrading the software to version 2.1.1.108.003 or any other software
version that is not vulnerable.

ADDITIONAL INFORMATION

The information has been provided by <mailto:spanska@securinet.qc.ca>
David Laganière.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages