SECURITY HOLES FOUND IN ALCATEL ADSL MODEMS
SECURITY HOLES FOUND IN ALCATEL ADSL MODEMS April 11, 2001 08:42 AM WEAK SECURITY IN high-speed ADSL (Asymmetric Digital Subscriber Line) modems from Alcatel could allow hackers to shut down the device, monitor data flows, and use it for cyber attacks, computer security experts said. For Full Story: http://www.infoworld.com/articles/hn/xml/01/04/11/010411hnalc.xml?0411alert -- -- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
Or http://www.zdnet.com/zdnn/stories/news/0,4586,5080984,00.html .. this one has links to the original researchers' findings and the CERT advisory. ObSLE; It looks like a fix to plug the remote-ability of this hole would be to insert an ipchains rule that blocks access from the local LAN to the modem's IP and the broadcast. Perhaps - and this is off the top of my head here, so don't just use this and expect it to work :) - something like the following: ipchains -I outout -i eth1 -d 10.0.0.138 -l -j DENY ipchains -I output -i eth1 -d 255.255.255.255 -l -j DENY I think in the typical(?) situation of a home user using an affected Alcatel modem they probably don't care about blocking local access. they just want to block external access to the modem from Internet. Comments? On Wed, Apr 11, 2001 at 03:25:41PM -0400, Fred A. Miller wrote:
SECURITY HOLES FOUND IN ALCATEL ADSL MODEMS
April 11, 2001 08:42 AM
WEAK SECURITY IN high-speed ADSL (Asymmetric Digital Subscriber Line) modems from Alcatel could allow hackers to shut down the device, monitor data flows, and use it for cyber attacks, computer security experts said.
For Full Story: http://www.infoworld.com/articles/hn/xml/01/04/11/010411hnalc.xml?0411alert
-- -- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
On Wed, Apr 11, 2001 at 06:06:38PM -0700, John Grant wrote:
Or
http://www.zdnet.com/zdnn/stories/news/0,4586,5080984,00.html
.. this one has links to the original researchers' findings and the CERT advisory.
ObSLE;
It looks like a fix to plug the remote-ability of this hole would be to insert an ipchains rule that blocks access from the local LAN to the modem's IP and the broadcast.
Perhaps - and this is off the top of my head here, so don't just use this and expect it to work :) - something like the following:
ipchains -I outout -i eth1 -d 10.0.0.138 -l -j DENY ipchains -I output -i eth1 -d 255.255.255.255 -l -j DENY
I think in the typical(?) situation of a home user using an affected Alcatel modem they probably don't care about blocking local access. they just want to block external access to the modem from Internet.
Comments?
I tried to access my Speed Touch Home at 10.0.0.138 but got no response. Does it mean that my modem is not vulnerable or it just has a different IP address? I got my modem from Pacific Bell, if that matters. -Kastus
On Wed, Apr 11, 2001 at 03:25:41PM -0400, Fred A. Miller wrote:
SECURITY HOLES FOUND IN ALCATEL ADSL MODEMS
April 11, 2001 08:42 AM
WEAK SECURITY IN high-speed ADSL (Asymmetric Digital Subscriber Line) modems from Alcatel could allow hackers to shut down the device, monitor data flows, and use it for cyber attacks, computer security experts said.
For Full Story: http://www.infoworld.com/articles/hn/xml/01/04/11/010411hnalc.xml?0411alert
-- -- ----/ / _ Fred A. Miller ---/ / (_)__ __ ____ __ Systems Administrator --/ /__/ / _ \/ // /\ \/ / Cornell Univ. Press Services -/____/_/_//_/\_,_/ /_/\_\ fm@cupserv.org
On Wed, Apr 11, 2001 at 11:38:28PM -0700, Konstantin (Kastus) Shchuka wrote:
I tried to access my Speed Touch Home at 10.0.0.138 but got no response.
Do you have a route through the interface you're connecting to the modem? When I want to get to the modem I just do an "ifconfig eth1:1 10.0.0.1" (as root), which also sets up a route, and I can then telnet/ping/whatever to 10.0.0.138 with no problem.
Does it mean that my modem is not vulnerable or it just has a different IP address?
If the above doesn't work then I'm not sure what to do. Maybe -careful- use of something like nmap if you're comfortable with that sort of thing. I don't know about exactly which models are vulnerable. The CERT advisory page lists simply "Alcatel Speed Touch Home ADSL Modem" and "Alcatel 1000 ADSL Network Termination Device", so the safe way to bet is yes, your modem is vulnerable. You might want to check out the San Diego Supercomputer Center's web site at, http://security.sdsc.edu/self-help/alcatel/alcatel-bugs That page lists some firmware versions that are known to be vulnerable. The real trick may be to find out what firmware you have. On my Alcatel 1000 there doesn't seem to be anything in either the http or telnet inerfaces that I can get the firmware version from. I -can- ftp ("anonymous" works as a username) to it and then get a directory listing of the "active" directory. Mine shows: ftp> dir active 200 Connected to 10.0.0.1 port 1158 150 Opening data connection for /bin/ls total 1 -rwxrwxrwx 1 0 0 128 Jun 29 1971 start.cmd -rwxrwxrwx 1 0 0 0 Jun 29 1971 active.flg -rwxrwxrwx 1 0 0 674176 Jun 29 1971 KA1HAA.112 226 Options: -l : 0 matches total ftp> The name of that last file, "KA1HAA.112", matches the firmware version given on the above web page. However, I -also- have a file named "HH3HAA.110" in the root directory of my modem, but it's much smaller, only 11008 bytes. I don't know what's up with that. I don't know if any of this is at all applicable to your Speed Touch.
I got my modem from Pacific Bell, if that matters.
I'm with PacBell too so I've sent email to PacBell support to see if there's a firmware upgrade forthcoming (which they can apparently do remotely from the DSLAM with these modems) or some other fix that I/they can apply. No response yet. I've also put in the following ipchains rules as a temporary measure: ipchains -I output -i eth1 -d 10.0.0.138 -j REJECT -l ipchains -I output -i eth1 -d 255.255.255.255 -j REJECT -l ipchains -I input -i eth1 -s 255.255.255.255 -j DENY -l As I understand it, the http/ftp/telnet/etc. interfaces aren't supposed to be accessable directly from the internet side. -IF- that's the case (big if given the existance of this security flaw in the first place) then you just need to plug the "bounce" attack hole, which I think the above rules will do. Note that my modem can have more than one address though, and the address(es) can be changed. You should check to make sure what yours is/are currently set to so you block the right ones. HTH, -John
On Thu, Apr 12, 2001 at 04:21:31AM -0700, John Grant wrote:
On Wed, Apr 11, 2001 at 11:38:28PM -0700, Konstantin (Kastus) Shchuka wrote:
I tried to access my Speed Touch Home at 10.0.0.138 but got no response.
Do you have a route through the interface you're connecting to the modem? When I want to get to the modem I just do an "ifconfig eth1:1 10.0.0.1" (as root), which also sets up a route, and I can then telnet/ping/whatever to 10.0.0.138 with no problem.
I have only one Ethernet interface in my machine. I tried to add an alias to eth0, I did "ifconfig eth0:1 10.0.0.1". Routing set up automatically. But "ping 10.0.0.138" gets nowhere. I also tried nmap, but it showed my 10.0.0.1 host only on the 10.0.0.0/24 network. Does it mean that Pacific Bell set up IP address of the modem to a different value?
Does it mean that my modem is not vulnerable or it just has a different IP address?
If the above doesn't work then I'm not sure what to do. Maybe -careful- use of something like nmap if you're comfortable with that sort of thing.
I am comfortable with nmap but it shows no other hosts but eth0:1 interface with 10.0.0.1 address of my computer.
I don't know about exactly which models are vulnerable. The CERT advisory page lists simply "Alcatel Speed Touch Home ADSL Modem" and "Alcatel 1000 ADSL Network Termination Device", so the safe way to bet is yes, your modem is vulnerable. You might want to check out the San Diego Supercomputer Center's web site at,
http://security.sdsc.edu/self-help/alcatel/alcatel-bugs
That page lists some firmware versions that are known to be vulnerable.
Unfortunately, I cannot check firmware version as I have no telnet access to the modem
The real trick may be to find out what firmware you have. On my Alcatel 1000 there doesn't seem to be anything in either the http or telnet inerfaces that I can get the firmware version from. I -can- ftp ("anonymous" works as a username) to it and then get a directory listing of the "active" directory. Mine shows:
ftp> dir active 200 Connected to 10.0.0.1 port 1158 150 Opening data connection for /bin/ls total 1 -rwxrwxrwx 1 0 0 128 Jun 29 1971 start.cmd -rwxrwxrwx 1 0 0 0 Jun 29 1971 active.flg -rwxrwxrwx 1 0 0 674176 Jun 29 1971 KA1HAA.112 226 Options: -l : 0 matches total ftp>
The name of that last file, "KA1HAA.112", matches the firmware version given on the above web page. However, I -also- have a file named "HH3HAA.110" in the root directory of my modem, but it's much smaller, only 11008 bytes. I don't know what's up with that.
I don't know if any of this is at all applicable to your Speed Touch.
I got my modem from Pacific Bell, if that matters.
I'm with PacBell too so I've sent email to PacBell support to see if there's a firmware upgrade forthcoming (which they can apparently do remotely from the DSLAM with these modems) or some other fix that I/they can apply. No response yet.
I've also put in the following ipchains rules as a temporary measure:
ipchains -I output -i eth1 -d 10.0.0.138 -j REJECT -l ipchains -I output -i eth1 -d 255.255.255.255 -j REJECT -l ipchains -I input -i eth1 -s 255.255.255.255 -j DENY -l
As I understand it, the http/ftp/telnet/etc. interfaces aren't supposed to be accessable directly from the internet side. -IF- that's the case (big if given the existance of this security flaw in the first place) then you just need to plug the "bounce" attack hole, which I think the above rules will do.
Note that my modem can have more than one address though, and the address(es) can be changed. You should check to make sure what yours is/are currently set to so you block the right ones.
HTH,
-John
Thank you for your response, -Kastus
I follow up my own post. SuSEfirewall was preventing access on 10.0.0.0 network for me. When I stopped SuSEfirewall I was able to telnet to the modem at 10.0.0.138. Actually, this is a good sign, it means I am protected by SuSEfirewall by default. -Kastus On Thu, Apr 12, 2001 at 12:07:02PM -0700, Konstantin (Kastus) Shchuka wrote:
On Thu, Apr 12, 2001 at 04:21:31AM -0700, John Grant wrote:
On Wed, Apr 11, 2001 at 11:38:28PM -0700, Konstantin (Kastus) Shchuka wrote:
I tried to access my Speed Touch Home at 10.0.0.138 but got no response.
Do you have a route through the interface you're connecting to the modem? When I want to get to the modem I just do an "ifconfig eth1:1 10.0.0.1" (as root), which also sets up a route, and I can then telnet/ping/whatever to 10.0.0.138 with no problem.
I have only one Ethernet interface in my machine. I tried to add an alias to eth0, I did "ifconfig eth0:1 10.0.0.1". Routing set up automatically. But "ping 10.0.0.138" gets nowhere. I also tried nmap, but it showed my 10.0.0.1 host only on the 10.0.0.0/24 network.
Does it mean that Pacific Bell set up IP address of the modem to a different value?
Does it mean that my modem is not vulnerable or it just has a different IP address?
If the above doesn't work then I'm not sure what to do. Maybe -careful- use of something like nmap if you're comfortable with that sort of thing.
I am comfortable with nmap but it shows no other hosts but eth0:1 interface with 10.0.0.1 address of my computer.
I don't know about exactly which models are vulnerable. The CERT advisory page lists simply "Alcatel Speed Touch Home ADSL Modem" and "Alcatel 1000 ADSL Network Termination Device", so the safe way to bet is yes, your modem is vulnerable. You might want to check out the San Diego Supercomputer Center's web site at,
http://security.sdsc.edu/self-help/alcatel/alcatel-bugs
That page lists some firmware versions that are known to be vulnerable.
Unfortunately, I cannot check firmware version as I have no telnet access to the modem
The real trick may be to find out what firmware you have. On my Alcatel 1000 there doesn't seem to be anything in either the http or telnet inerfaces that I can get the firmware version from. I -can- ftp ("anonymous" works as a username) to it and then get a directory listing of the "active" directory. Mine shows:
ftp> dir active 200 Connected to 10.0.0.1 port 1158 150 Opening data connection for /bin/ls total 1 -rwxrwxrwx 1 0 0 128 Jun 29 1971 start.cmd -rwxrwxrwx 1 0 0 0 Jun 29 1971 active.flg -rwxrwxrwx 1 0 0 674176 Jun 29 1971 KA1HAA.112 226 Options: -l : 0 matches total ftp>
The name of that last file, "KA1HAA.112", matches the firmware version given on the above web page. However, I -also- have a file named "HH3HAA.110" in the root directory of my modem, but it's much smaller, only 11008 bytes. I don't know what's up with that.
I don't know if any of this is at all applicable to your Speed Touch.
I got my modem from Pacific Bell, if that matters.
I'm with PacBell too so I've sent email to PacBell support to see if there's a firmware upgrade forthcoming (which they can apparently do remotely from the DSLAM with these modems) or some other fix that I/they can apply. No response yet.
I've also put in the following ipchains rules as a temporary measure:
ipchains -I output -i eth1 -d 10.0.0.138 -j REJECT -l ipchains -I output -i eth1 -d 255.255.255.255 -j REJECT -l ipchains -I input -i eth1 -s 255.255.255.255 -j DENY -l
As I understand it, the http/ftp/telnet/etc. interfaces aren't supposed to be accessable directly from the internet side. -IF- that's the case (big if given the existance of this security flaw in the first place) then you just need to plug the "bounce" attack hole, which I think the above rules will do.
Note that my modem can have more than one address though, and the address(es) can be changed. You should check to make sure what yours is/are currently set to so you block the right ones.
HTH,
-John
Thank you for your response,
-Kastus
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
participants (3)
-
Fred A. Miller
-
John Grant
-
Konstantin (Kastus) Shchuka