Further problems with Arescom NetDSL-800 MSN Firmware version 5.4.x and up

From: Justin Cervero (Scorpion_1169@msn.com)
Date: 10/29/02


Date: 29 Oct 2002 14:16:46 -0000
From: Justin Cervero <Scorpion_1169@msn.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

BACKGROUND

The Arescom NetDSL-800 router is the current choice for MSNís DSL service
as well as several other large DSL providers. Previous issues regarding a
telnet DoS and an authentication vulnerability have been addressed through
firmware updates. The authentication vulnerability was solved by adding a
username and password to prevent unauthorized access.

In the case of MSN, the modem/router is shipped with preconfigured
settings, including a unique username and password that differs from the
DSL account name and password. These are meant to be unknown to the user.
The newest firmware (v5.5.11) also limits access to the configuration area
to WAN traffic only.

THE PROBLEM

This issue pertains specifically to the latest version of the MSN
provided/required firmware. Each ISP provides a different version and
others may or may not be affected.

Utilizing a packet sniffer and the NetDSL Remote Manager provided by
Arescom, a remote user may obtain the modemís username and password and
gain access to the configuration menus.

THE VULNERABILITY

Given access to the username and password similar vulnerabilities that
existed with a previously known issue again presents itself. It is
possible to completely disable the modem and prevent further access to the
configuration menus, essentially making the modem completely
inaccessible. Further analyses of the packets generated during access and
manipulation of the configuration could lead to an executable or script
that could transmit configuration packets that would disable every modem
it encountered. If a malicious user were to disable a large enough number
of the modems at once while also removing the ability to reactivate them,
even an ISP with the resources of MSN would not be able to handle the
volume of tech support calls and service requests that would be generated.

THE SOLUTION

The one known solution is not recommended due to the fact that while it
will prevent a malicious user from accessing the configuration menus, it
will also prevent an authorized user from accessing them as well. The
configuration menus are accessed through port 9833. By forcing the modem
to forward all 9833 requests to an unused local IP address access to the
configuration screen can be removed. However, due to the fact that the
latest version of the firmware effectively ignores local requests to 9833,
the user becomes completely locked out of the configuration menus.

Earlier firmware versions had an option that allowed local traffic to
access the configuration. It has been suggested that downgrading to the
older versions of the firmware and then implementing the above solution
would be the best compromise. There are five previous versions of the
firmware available. Unfortunately, while the configuration menus provide
a tool for upgrading the firmware, for unknown reasons the modem does not
accept previous versions.

Long term solutions to be implemented in firmware should involve the
removal of remote configuration access. Allowing only local access would
be much more secure while still allowing easy and robust configuration.

Submitted to the best of my ability,
Justin Cervero

A large amount of credit to JacobNero on the DSLReports.com forums for
research and insight into this issue.



Relevant Pages

  • Re: Mylex question
    ... The firmware recognizes the DAC960 but takes a long time in polling it. ... importantly - FIRMWARE and CONFIGURATION utilities. ... The DAC960 is a bit inconvenient in that to set up the raid units you ... console again to run RCU. ...
    (comp.os.vms)
  • Re: Accessing printer connected to ethernet print server
    ... Install gutenprint 5.0 from the site noted previously in this ... Upgrade the firmware to version 2.13 on the EDIMAX BR-6104KP. ... Upgrading the firmware is done through the web configuration ... The router has a built in web server. ...
    (comp.sys.mac.printing)
  • Re: [PATCH] acpi bridge hotadd: ACPI based root bridge hot-add
    ... > configuration step in the middle. ... All PARISC boxen with PAT PDC firmware ... But I also have to confess I know PCI-PCI Bridge support is broken ... "Card-mode" Dino boxen also have to deal with unconfigured PCI devices. ...
    (Linux-Kernel)
  • [9fans] still down
    ... controller's firmware, which it was demanding. ... to have retained its configuration in NVRAM ... We're a little nervous about putting the disks back ...
    (comp.os.plan9)
  • RE: ISP reconfiguring cable modem?
    ... The cable modem receives its configuration by TFTP when it boots. ... servers) to keep viruses and spammers from wreaking havoc. ... server) then issue a reset command to that modem. ...
    (Security-Basics)