PDA

Bekijk Volledige Versie : SNMP security issues in D-Link DSL Broadband Modem/Router



Arhont Information Security
27/03/03, 20:20
Arhont Ltd - Information Security Company

Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
Advisory: D-Link DSL Broadband Modem/Router
Router Model Name: D-Link DSL-500
Model Specific: Other models might be vulnerable as well
Manufacturer site: http://www.dlink.com
Manufacturer contact (UK): Tel: 0800 9175063 / 0845
0800288
Contact Date: 06/03/2003

DETAILS:

While performing a general security testing of a
network, we have found several security vulnerability
issues with the D-Link DSL Broadband Modem DSL-500

Issue 1:
The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access. The
DSL-500 modem is configured alow SNMP access from the
WAN (Wide Area Network)/Internet side as well as from LAN.

andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
....
....

The community name: public

allows read access to the mentioned devices, allowing
enumeration and gathering of sensitive network
information.

The community name: private

allows read/write access to devices, thus allowing
change of the network settings of the broadband modem.

Impact: This vulnerability allows local and internet
malicious attackers to retrieve and change network
settings of the modem.

Risk Factor: Medium/High

Possible Solutions: Firewall UDP port 161 from LAN/WAN
sides, as it is not possible to disable SNMP service
from the web management interface.

Issue 2:
The ISP account information including login name and
password is stored on the modem without encryption, It
is therefore possible to retrieve this information with
simple SNMP gathering utility such as snmpwalk:

andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
....
....
....
transmission.23.2.3.1.5.2.1 = STRING:
"username@dsl-provider"
....
....
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
....
....
....

Impact: This vulnerability allows LAN and internet
malicious attackers to retrieve confidential information.

Risk Factor: Very High

Possible Solutions: As a temporary solution you should
firewall UDP port 161 from LAN/WAN sides, as it is not
possible to disable SNMP service from the web
management interface.

According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ), unless
specifically requested by the manufacturer.

If you would like to get more information about this
issue, please do not hesitate to contact Arhont team at
infosec@arhont.com.


Kind Regards,

Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0xFF67A4F4

Maslov, Snowy
28/03/03, 21:20
> From: Arhont Information Security [mailto:infosec@arhont.com]=20
> Sent: Friday, March 28, 2003 1:32 AM
> To: bugtraq@securityfocus.com
> Subject: SNMP security issues in D-Link DSL Broadband Modem/Router
>
> While performing a general security testing of a
> network, we have found several security vulnerability
> issues with the D-Link DSL Broadband Modem DSL-500

Note that there are a couple of things you can do to alleviate this
problem.

1. Change the public and private SNMP community strings. You can do
this by logging into the DSL router via telnet or using the serial
connection and typing the following (the password for telnet by default
is 'private' - see below):

snmp access flush # Flushes all access strings
snmp access read <password> # Sets your RO community
password
snmp access write <password> # Sets your R/W community
password
# NOTE: This is also your telnet
# password! Make sure it is
kept
# safe!
snmp access list # Always good to check ;)
config save # Saves configuration
restart # Restarts router.

I would really recommend doing this as a matter of course anyways.

2. You can use the built-in IP filter package to remove access from the
WAN side to TCP and UDP port 161 (and if you are not using it on the LAN
side - I'd do the same there too).