[NEWS] Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router

From: SecuriTeam (support_at_securiteam.com)
Date: 06/12/03

  • Next message: SecuriTeam: "[NEWS] Nokia GGSN (IP650 Based) DoS" 
    To: list@securiteam.com
Date: 12 Jun 2003 01:47:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Latest attack techniques.

    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.

    Learn more at http://www.coresecurity.com/promos/sit_e1,
    or call 617-399-6980

    - - - - - - - - -

      Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router
    ------------------------------------------------------------------------

    SUMMARY

     <SMC Networks' Barricade Wireless Cable/DSL Broadband Router> SMC
    Networks' Barricade Wireless Cable/DSL Broadband Router, version
    SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with
    Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point,
    Stateful Packet Inspection (SPI) firewall security, network management,
    and Virtual Private Network (VPN) passthrough support into one convenient
    device." The SMC7004VWBR crashes when a specially formatted series of
    packets are sent to TCP port 1723 (PPTP) on its internal interface.
    Following the attack, the router remains unresponsive to requests on the
    wireless portions of the connected LAN, thus preventing users from
    accessing network resources.

    DETAILS

    By default, the router is listening on TCP port 1723. A default
    configuration includes enabled wireless access and a DHCP server.
    Therefore, if appropriate steps have not been taken to secure the device,
    it is trivial for a remote attacker to conduct the DoS attack by
    connecting to a targeted network using an 802.11b wireless network
    interface card.

    Detection:
    Barricade Wireless Router, version SMC7004VWBR, is affected. The
    vulnerability is confirmed to exist on the following configuration, with
    previous versions of the firmware suspected as well:

    Runtime Code Version: v1.20 (Nov 15 2002 22:08:48)
    Boot Code Version: V1.06
    Hardware Version: 01

    Recovery:
    A hard reset is required to restore normal functionality. This requires
    physical access to the router and can be accomplished by either unplugging
    the router or by using the reset button located on the back of the router.
    Remotely restoring normal functionality by using the web-based
    administrative console is not possible due to the DoS, even from hosts
    physically connected to the router itself.

    Workaround:
    The router provides various security controls, one of which allows an
    administrator to restrict network access via the router only to hosts with
    authorized MAC addresses. By hard-coding authorized MAC addresses, an
    attacker would have to spoof a legitimate MAC address to conduct the
    attack. While this measure does not prevent the attack, it does increase
    the complexity of conducting an attack, thus reducing the likelihood of
    somebody undertaking such a venture.

    Vendor fix:
    SMC Networks has released firmware version 1.23 that fixes this
    vulnerability. It is available for download at
    <http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&site=c#downloads> http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&site=c#downloads.

    Disclosure timeline:
    15 APR 2003 Issue disclosed to SMC Networks (security@smc.com)
    15 APR 2003 iDEFENSE clients notified
    15 APR 2003 Response from olivier@smc-mail.com
    21 APR 2003 Response from Brian Larsen, Barricade Product Manager
    30 APR 2003 Response from Brian Larsen
    10 JUN 2003 Firmware 1.23 provided by SMC to iDEFENSE for testing
    11 JUN 2003 Coordinated Public Disclosure

    ADDITIONAL INFORMATION

    The original advisory is available from:
     <http://www.idefense.com/advisory/06.11.03.txt>
    http://www.idefense.com/advisory/06.11.03.txt

    The information has been provided by <mailto:listserv@idefense.com>
    iDEFENSE Labs, the vulnerability was discovered by
    <mailto:msutton@idefense.com> Michael Sutton.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Nokia GGSN (IP650 Based) DoS"

    Relevant Pages