('binary' encoding is not supported, stored as-is) BACKGROUND The Arescom NetDSL-800 router is the current choice for MSN’s DSL service as well as several other large DSL providers. Previous issues regarding a telnet DoS and an authentication vulnerability have been addressed through firmware updates. The authentication vulnerability was solved by adding a username and password to prevent unauthorized access. In the case of MSN, the modem/router is shipped with preconfigured settings, including a unique username and password that differs from the DSL account name and password. These are meant to be unknown to the user. The newest firmware (v5.5.11) also limits access to the configuration area to WAN traffic only. THE PROBLEM This issue pertains specifically to the latest version of the MSN provided/required firmware. Each ISP provides a different version and others may or may not be affected. Utilizing a packet sniffer and the NetDSL Remote Manager provided by Arescom, a remote user may obtain the modem’s username and password and gain access to the configuration menus. THE VULNERABILITY Given access to the username and password similar vulnerabilities that existed with a previously known issue again presents itself. It is possible to completely disable the modem and prevent further access to the configuration menus, essentially making the modem completely inaccessible. Further analyses of the packets generated during access and manipulation of the configuration could lead to an executable or script that could transmit configuration packets that would disable every modem it encountered. If a malicious user were to disable a large enough number of the modems at once while also removing the ability to reactivate them, even an ISP with the resources of MSN would not be able to handle the volume of tech support calls and service requests that would be generated. THE SOLUTION The one known solution is not recommended due to the fact that while it will prevent a malicious user from accessing the configuration menus, it will also prevent an authorized user from accessing them as well. The configuration menus are accessed through port 9833. By forcing the modem to forward all 9833 requests to an unused local IP address access to the configuration screen can be removed. However, due to the fact that the latest version of the firmware effectively ignores local requests to 9833, the user becomes completely locked out of the configuration menus. Earlier firmware versions had an option that allowed local traffic to access the configuration. It has been suggested that downgrading to the older versions of the firmware and then implementing the above solution would be the best compromise. There are five previous versions of the firmware available. Unfortunately, while the configuration menus provide a tool for upgrading the firmware, for unknown reasons the modem does not accept previous versions. Long term solutions to be implemented in firmware should involve the removal of remote configuration access. Allowing only local access would be much more secure while still allowing easy and robust configuration. Submitted to the best of my ability, Justin Cervero A large amount of credit to JacobNero on the DSLReports.com forums for research and insight into this issue.
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 08:52:24 PST