>Subject: multiple vulnerabilities in Alcatel ADSL-Ethernet bridge >devices > >Researchers associated with the San Diego Supercomputer Center at the >University of California, San Diego have identified multiple >implementation flaws in the Alcatel Speed Touch ADSL "modem" (actually >an ADSL-Ethernet router/bridge). These flaws can allow an intruder to >take complete control of the device, including changing its >configuration, uploading new firmware, and disrupting the >communications between the telephone central office providing ADSL >service and the device. Weren't these issues actually discovered by Renaud Deraison in November 2000? He added code to his Nessus program to check for the problems and didn't consider it worth an advisory since the exploit depended on the IP 10.0.0.138 being spoofable, possible on some ISPs who do VPNs that way but generally a lower risk than the full internet range. You'd think the normal process of informing the manufacturer to provide a window to have a patch available would be followed. Instead a few people were told, then the press and then CERT, sounds more like a PR stunt to me. The value add tools are useful but the manuafacturer could have offered a better fix than binary patching etc. Sounds like too much time was spent on a nowhere issue. Mark. All your japboy are belong to us.
This archive was generated by hypermail 2b30 : Mon Apr 16 2001 - 13:05:06 PDT