('binary' encoding is not supported, stored as-is) Product: Efficient Networks 5861 DSL Router http://www.efficient.com/ebz/5800.html Tested version: 5.3.80 (Latest firmware) Advisory date: 10/01/2003 Severity: Moderate Details When using the built in IP filtering to block incoming TCP SYN flags, a simple port scan to the WAN interface of the router will cause it to lock up, and eventually restart. This has been tested on two different 5861 routers, both running the above firmware version. Port scanners used were Nmap (Linux) and SuperScan (Windows) Solution: There are three possible solutions to this exploit. Any one of these solutions can be implemented to avoid the exploit: 1. Remove the filter rule that specifically drops packets with the TCP SYN flag set. 2. Turn off console logging of dropped packets. Note: If you require logging to be on then you must increase the console baud rate. 3. Increase the console baud rate to 57600. How to implement the above solutions: Remove the filter rule that specifically drops packets with the TCP SYN flag set This will not alter your security settings since the SYN flag will be caught by the global drop rule at the end of the script. · Login to the router using the Console or Telnet. · Type the command: remote ipfilter flush 0 input internet (flush zero). Alternate command: remote ipfilter delete input drop -p tcp -tcp syn internet · Type the “save” command · Type the “reboot” command Note: If the name of your remote profile is not “Internet”, then substitute the correct name. To determine what the remote profile name is, simply type the command “iproutes”, and look in the “gateway” column for the correct name. Turn off console logging of dropped packets Note: This is highly recommended if you are not actively monitoring your firewall activity. · Login to the router using the Console or Telnet. · Type the command: remote ipfilter watch off internet · Type the “save” command · Type the “reboot” command Increase the console baud rate to 57600. If you are actively monitoring your firewall, you can leave the above filters and logging in place, and still avoid the exploit by increasing the baud rate of the console interface. Note: Remember that your terminal software setting must match this baud rate after making this change on the router. · Access the “boot menu” on the router: 1. Cut the end off an old Ethernet cable 2. strip the wires back and twist all of the bare wires of the cable together. 3. Plug the unmodified cable end into the console port on the router. 4. Power cycle the router. 5. Wait about one minute for the router to complete its boot-up. 6. Remove the modified cable end, and connect a standard Ethernet straight cable to the console port. Connect the other end of the Ethernet cable to the RJ45 to DB9 adapter provided with your router. Connect the adapter to the DB9 serial interface on your computer. 7. Open up Hyper-terminal or any other terminal emulator program, and configure it as follows. Direct to com1 (or com2, or com3, or com4 depending on which one your computer recognizes) 8. The boot menu looks like this: 1. Retry start-up 2. Boot from Flash memory 3. Boot from network 4. Boot from specific file 5. Configure boot system 6. Set date and time 7. Set console baud rate 8. Start extended diagnostics 9. Reboot Enter selection: 7 Desired baud rate [9600]: 57600 Do you want the change to 57600 to take effect now ? [Y] y · Once you have accessed the boot menu: - Select option 7 - Enter the desired baud rate of 57600 - Indicate Yes for the change to take effect immediately · Power cycle the router · Your baud rate is not set to 57600, so be sure to re-configure your terminal emulator software to the same setting before you try to connect again. Additional Comments: The default firewall scripts that are contained on the router can be edited to meet your specific security needs. It is strongly recommended that you familiarize yourself with the specifics of the level of security that you have chosen from the Web interface. To edit the default script files: 1. Connect to the router’s Ethernet IP address using your web browser Example: http://192.168.254.254/tools/editor.html 2. Click on the “minsec.txt” link on the left side of the screen. You can now edit the contents of the file in the editor window. 3. Put a “#” sign in front of any lines that you want to disable. # remote ipfilter append input drop -p tcp -tcp syn internet This will remove the filter rule the next time that the minimum firewall setting is chosen from the firewall settings page. 4. Locate the command: “remote ipfilter watch on internet” and place a “#” in front of it. This will cause the logging feature to be disabled the next time that the minimum firewall setting is chosen from the firewall settings page. 5. Be sure to click on the “Save” button when you are done with your edits. 6. Repeat the above steps for all three default filter files: - minsec.txt - medsec.txt - maxsec.txt
This archive was generated by hypermail 2b30 : Thu Jan 23 2003 - 15:30:30 PST