Re: SNMP security issues in D-Link DSL Broadband Modem/Router
From: m.singh@tesco.net
Date: 03/27/03
- Previous message: Martin Schulze: "[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit"
- Maybe in reply to: Arhont Information Security: "SNMP security issues in D-Link DSL Broadband Modem/Router"
- Next in thread: Maslov, Snowy: "Re: SNMP security issues in D-Link DSL Broadband Modem/Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: <m.singh@tesco.net> To: Arhont Information Security <infosec@arhont.com> Date: Thu, 27 Mar 2003 16:27:07 +0000
I told dlink about this problem last year Sepember. They told they will release a fix I have not see a fix.
It looks like dlink will not be doing any thing about this problem.
In futher I will post here as well.
Thanks
Malkit Singh
>
> From: Arhont Information Security <infosec@arhont.com>
> Date: 2003/03/27 Thu PM 03:31:41 GMT
> To: bugtraq@securityfocus.com
> Subject: SNMP security issues in D-Link DSL Broadband Modem/Router
>
>
>
> Arhont Ltd - Information Security Company
>
>
>
> Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
>
> Advisory: D-Link DSL Broadband Modem/Router
>
> Router Model Name: D-Link DSL-500
>
> Model Specific: Other models might be vulnerable as well
>
> Manufacturer site: http://www.dlink.com
>
> Manufacturer contact (UK): Tel: 0800 9175063 / 0845
>
> 0800288
>
> Contact Date: 06/03/2003
>
>
>
> DETAILS:
>
>
>
> While performing a general security testing of a
>
> network, we have found several security vulnerability
>
> issues with the D-Link DSL Broadband Modem DSL-500
>
>
>
> Issue 1:
>
> The default router installation enables SNMP (Simple
>
> Network Management Protocol) server with default
>
> community names for read and read/write access. The
>
> DSL-500 modem is configured alow SNMP access from the
>
> WAN (Wide Area Network)/Internet side as well as from LAN.
>
>
>
> andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
>
> public 192.168.0.1 -v 1
>
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
>
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
>
> Copyright (c) 2000 Dlink Corp.
>
> sysObjectID.0 = OID: enterprises.171.10.30.1
>
> sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
>
> ...
>
> ...
>
>
>
> The community name: public
>
>
>
> allows read access to the mentioned devices, allowing
>
> enumeration and gathering of sensitive network
>
> information.
>
>
>
> The community name: private
>
>
>
> allows read/write access to devices, thus allowing
>
> change of the network settings of the broadband modem.
>
>
>
> Impact: This vulnerability allows local and internet
>
> malicious attackers to retrieve and change network
>
> settings of the modem.
>
>
>
> Risk Factor: Medium/High
>
>
>
> Possible Solutions: Firewall UDP port 161 from LAN/WAN
>
> sides, as it is not possible to disable SNMP service
>
> from the web management interface.
>
>
>
> Issue 2:
>
> The ISP account information including login name and
>
> password is stored on the modem without encryption, It
>
> is therefore possible to retrieve this information with
>
> simple SNMP gathering utility such as snmpwalk:
>
>
>
> andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
>
> public 192.168.0.1 -v 1
>
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
>
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
>
> ...
>
> ...
>
> ...
>
> transmission.23.2.3.1.5.2.1 = STRING:
>
> "username@dsl-provider"
>
> ...
>
> ...
>
> transmission.23.2.3.1.6.2.1 = STRING: "password-string"
>
> ...
>
> ...
>
> ...
>
>
>
> Impact: This vulnerability allows LAN and internet
>
> malicious attackers to retrieve confidential information.
>
>
>
> Risk Factor: Very High
>
>
>
> Possible Solutions: As a temporary solution you should
>
> firewall UDP port 161 from LAN/WAN sides, as it is not
>
> possible to disable SNMP service from the web
>
> management interface.
>
>
>
> According to the Arhont Ltd. policy, all of the found
>
> vulnerabilities and security issues will be reported to
>
> the manufacturer 7 days before releasing them to the
>
> public domains (such as CERT and BUGTRAQ), unless
>
> specifically requested by the manufacturer.
>
>
>
> If you would like to get more information about this
>
> issue, please do not hesitate to contact Arhont team at
>
> infosec@arhont.com.
>
>
>
>
>
> Kind Regards,
>
>
>
> Andrei Mikhailovsky
>
> Arhont Ltd
>
> http://www.arhont.com
>
> GnuPG Keyserver: blackhole.pca.dfn.de
>
> GnuPG Key: 0xFF67A4F4
>
>
- Previous message: Martin Schulze: "[SECURITY] [DSA 270-1] New Linux kernel packages (mips + mipsel) fix local root exploit"
- Maybe in reply to: Arhont Information Security: "SNMP security issues in D-Link DSL Broadband Modem/Router"
- Next in thread: Maslov, Snowy: "Re: SNMP security issues in D-Link DSL Broadband Modem/Router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
