SNMP security issues in D-Link DSL Broadband Modem/Router

From: Arhont Information Security (infosec@arhont.com)
Date: 03/27/03

  • Next message: Trustix Secure Linux Advisor: "TSLSA-2003-0013 - openssl" 
    Date: 27 Mar 2003 15:31:41 -0000
From: Arhont Information Security <infosec@arhont.com>
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Arhont Ltd - Information Security Company

    Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
    Advisory: D-Link DSL Broadband Modem/Router
    Router Model Name: D-Link DSL-500
    Model Specific: Other models might be vulnerable as well
    Manufacturer site: http://www.dlink.com
    Manufacturer contact (UK): Tel: 0800 9175063 / 0845
    0800288
    Contact Date: 06/03/2003

    DETAILS:

    While performing a general security testing of a
    network, we have found several security vulnerability
    issues with the D-Link DSL Broadband Modem DSL-500

    Issue 1:
    The default router installation enables SNMP (Simple
    Network Management Protocol) server with default
    community names for read and read/write access. The
    DSL-500 modem is configured alow SNMP access from the
    WAN (Wide Area Network)/Internet side as well as from LAN.

    andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
    public 192.168.0.1 -v 1
    sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
    Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
    Copyright (c) 2000 Dlink Corp.
    sysObjectID.0 = OID: enterprises.171.10.30.1
    sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
    ...
    ...

    The community name: public

    allows read access to the mentioned devices, allowing
    enumeration and gathering of sensitive network
    information.

    The community name: private

    allows read/write access to devices, thus allowing
    change of the network settings of the broadband modem.

    Impact: This vulnerability allows local and internet
    malicious attackers to retrieve and change network
    settings of the modem.

    Risk Factor: Medium/High

    Possible Solutions: Firewall UDP port 161 from LAN/WAN
    sides, as it is not possible to disable SNMP service
    from the web management interface.

    Issue 2:
    The ISP account information including login name and
    password is stored on the modem without encryption, It
    is therefore possible to retrieve this information with
    simple SNMP gathering utility such as snmpwalk:

    andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
    public 192.168.0.1 -v 1
    sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
    Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
    ...
    ...
    ...
    transmission.23.2.3.1.5.2.1 = STRING:
    "username@dsl-provider"
    ...
    ...
    transmission.23.2.3.1.6.2.1 = STRING: "password-string"
    ...
    ...
    ...

    Impact: This vulnerability allows LAN and internet
    malicious attackers to retrieve confidential information.

    Risk Factor: Very High

    Possible Solutions: As a temporary solution you should
    firewall UDP port 161 from LAN/WAN sides, as it is not
    possible to disable SNMP service from the web
    management interface.

    According to the Arhont Ltd. policy, all of the found
    vulnerabilities and security issues will be reported to
    the manufacturer 7 days before releasing them to the
    public domains (such as CERT and BUGTRAQ), unless
    specifically requested by the manufacturer.

    If you would like to get more information about this
    issue, please do not hesitate to contact Arhont team at
    infosec@arhont.com.

    Kind Regards,

    Andrei Mikhailovsky
    Arhont Ltd
    http://www.arhont.com
    GnuPG Keyserver: blackhole.pca.dfn.de
    GnuPG Key: 0xFF67A4F4

  • Next message: Trustix Secure Linux Advisor: "TSLSA-2003-0013 - openssl"

    Relevant Pages

    • Security issues in D-Link DSL-300/DSL-300G+ Broadband Modem/Router
      ... we have found several security vulnerability ... The default router installation enables SNMP (Simple ... Network Management Protocol) server with default ... password via telnet and reboot the modem. ...
      (Bugtraq)
    • CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations
      ... Products from a very wide variety of vendors may be affected. ... Many other systems making use of SNMP may also be vulnerable but were ... Numerous vulnerabilities have been reported in multiple vendors' SNMP ... The Simple Network Management Protocol is a widely deployed ...
      (Cert)
    • CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations
      ... Products from a very wide variety of vendors may be affected. ... Many other systems making use of SNMP may also be vulnerable but were ... Numerous vulnerabilities have been reported in multiple vendors' SNMP ... The Simple Network Management Protocol is a widely deployed ...
      (Cert)
    • CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations (fwd)
      ... CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many ... Products from a very wide variety of vendors may be affected. ... Many other systems making use of SNMP may also be vulnerable but were ... The Simple Network Management Protocol is a widely deployed ...
      (Focus-Microsoft)
    • Re: snmp versus /proc
      ... >and I notice that several examples displaying things like memory usage ... >use snmp to gather the information. ... put the network management functions on system that are dedicated to ...
      (Fedora)