On Wed, Apr 11, 2001 at 11:38:28PM -0700, Konstantin (Kastus) Shchuka wrote:
I tried to access my Speed Touch Home at 10.0.0.138 but got no response.
Do you have a route through the interface you're connecting to the modem? When I want to get to the modem I just do an "ifconfig eth1:1 10.0.0.1" (as root), which also sets up a route, and I can then telnet/ping/whatever to 10.0.0.138 with no problem.
Does it mean that my modem is not vulnerable or it just has a different IP address?
If the above doesn't work then I'm not sure what to do. Maybe -careful- use of something like nmap if you're comfortable with that sort of thing. I don't know about exactly which models are vulnerable. The CERT advisory page lists simply "Alcatel Speed Touch Home ADSL Modem" and "Alcatel 1000 ADSL Network Termination Device", so the safe way to bet is yes, your modem is vulnerable. You might want to check out the San Diego Supercomputer Center's web site at, http://security.sdsc.edu/self-help/alcatel/alcatel-bugs That page lists some firmware versions that are known to be vulnerable. The real trick may be to find out what firmware you have. On my Alcatel 1000 there doesn't seem to be anything in either the http or telnet inerfaces that I can get the firmware version from. I -can- ftp ("anonymous" works as a username) to it and then get a directory listing of the "active" directory. Mine shows: ftp> dir active 200 Connected to 10.0.0.1 port 1158 150 Opening data connection for /bin/ls total 1 -rwxrwxrwx 1 0 0 128 Jun 29 1971 start.cmd -rwxrwxrwx 1 0 0 0 Jun 29 1971 active.flg -rwxrwxrwx 1 0 0 674176 Jun 29 1971 KA1HAA.112 226 Options: -l : 0 matches total ftp> The name of that last file, "KA1HAA.112", matches the firmware version given on the above web page. However, I -also- have a file named "HH3HAA.110" in the root directory of my modem, but it's much smaller, only 11008 bytes. I don't know what's up with that. I don't know if any of this is at all applicable to your Speed Touch.
I got my modem from Pacific Bell, if that matters.
I'm with PacBell too so I've sent email to PacBell support to see if there's a firmware upgrade forthcoming (which they can apparently do remotely from the DSLAM with these modems) or some other fix that I/they can apply. No response yet. I've also put in the following ipchains rules as a temporary measure: ipchains -I output -i eth1 -d 10.0.0.138 -j REJECT -l ipchains -I output -i eth1 -d 255.255.255.255 -j REJECT -l ipchains -I input -i eth1 -s 255.255.255.255 -j DENY -l As I understand it, the http/ftp/telnet/etc. interfaces aren't supposed to be accessable directly from the internet side. -IF- that's the case (big if given the existance of this security flaw in the first place) then you just need to plug the "bounce" attack hole, which I think the above rules will do. Note that my modem can have more than one address though, and the address(es) can be changed. You should check to make sure what yours is/are currently set to so you block the right ones. HTH, -John