Multiple Vulnerabilities in Alcatel ADSL Modems

Original release date: April 10, 2001
Last revised: April 12, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Systems Affected

  • Alcatel Speed Touch Home ADSL Modem
  • Alcatel 1000 ADSL Network Termination Device

Overview

The San Diego Supercomputer Center (SDSC) has recently discovered several vulnerabilities in the Alcatel Speed Touch Asymmetric Digital Subscriber Line (ADSL) modem. These vulnerabilities are the result of weak authentication and access control policies and exploiting them will lead to one or more of the following: unauthorized access, unauthorized monitoring, information leakage, denial of service, and permanent disability of affected devices.

The SDSC has published additional information regarding these vulnerabilities at

http://security.sdsc.edu/self-help/alcatel/

I. Description

VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks

Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method to update firmware and to make configuration changes to the device. In conjunction with one of several common vulnerabilities, a remote attacker may be able to gain unauthenticated access as well.

For example, if a system on the LAN side of the ADSL modem has the UDP echo service enabled, a remote attacker may be able to spoof packets such that the ADSL modem will believe that this traffic originated from the local network. By sending a packet to the UDP echo service with a spoofed source port of 69 (TFTP) and a source address of 255.255.255.255, the system providing the echo service can be tricked into sending a TFTP packet to the ADSL modem. If a system offering this service is accessible from the Internet it may be possible to use the system to attack the ADSL modem.

Any mechanism for "bouncing" UDP packets off systems on the LAN side of the network may potentially allow a remote attacker to gain TFTP access to the device. Gaining TFTP access to the device allows the remote attacker to essentially gain complete control of the device.

VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password

Alcatel ADSL modems contain a special account (EXPERT) for gaining privileged access to the device. This account is secured via a challenge-response password authentication mechanism. While the use of such a mechanism is commendable, the algorithm used is not sufficiently strong. Attackers who know the algorithm used to compute the response can compute the correct response using information given to them during the login process.

Because the EXPERT account is accessible via TELNET, HTTP, and FTP, the ADSL modem must have an IP address that is accessible from the Internet to exploit this vulnerability. Alcatel ADSL products do not enable this feature over the wide area network (WAN) interface by default. Note however, that an attacker with TFTP access may be able to reconfigure the device to enable this feature.

This authentication mechanism is present even if the user has set a user supplied password.

Any problem or vulnerability on your internal network that allows an intruder to communicate with the modem may lead to its compromise, including Trojan horses, compromised systems, or other "bounce" vulnerabilities like the FTP bounce vulnerability described in

http://www.cert.org/tech_tips/ftp_port_attacks.html

VU#212088 - Alcatel ADSL modems contain a null default password

The Alcatel Speed Touch ADSL modem ships with a null default password, permitting unauthenticated access via TELNET, HTTP, and FTP. As with the EXPERT account vulnerability, the device must have an externally accessible IP address.

VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface

To allow your ISP to upgrade the firmware of the ADSL modem remotely, unauthenticated TFTP access is provided to users with physical access to the wire on the WAN side of the modem. While this access is normally used by your ISP, it could also be abused by an attacker with physical access to the wire outside of your home.

II. Impact

VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks

A remote attacker may be able to gain access to perform TFTP operations. These operations include

  • inspection of configuration data
  • recovery and setting of passwords
  • inspection and updates to the firmware
  • destructive updates to the firmware
  • malicious custom updates to the firmware

Note that the Alcatel ADSL modems do not provide any mechanism for determining the validity of firmware updates, so a remote attacker may be able to install custom firmware that operated as a distributed denial of service client or a network sniffer. Similarly, an attacker could produce an invalid firmware revision that would disable the device completely, leaving victims no alternative but to return the disabled unit to the manufacturer.

VU#243592 - Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password

Attackers who are able to connect to the ADSL modem can enter a predictable user ID and password to gain privileged access to the device. This access can be used to reconfigure the device, potentially introducing additional security weaknesses.

VU#212088 - Alcatel ADSL modems contain a null default password

Unless the user or Internet service provider changes the default password of an affected device, a remote attacker can access the modem via TELNET, HTTP, or FTP. In the case of TELNET and HTTP, this vulnerability grants the attacker read and write access to device configuration. For FTP, this vulnerability allows the attacker to browse the file structure of the affected device.

VU#490344 - Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface

An attacker with physical access to your wire may be able to gain unauthenticated TFTP access to the device with the same impacts as described in the "bounce" vulnerability (VU#211736).

III. Solution

Set a password for your ADSL modem

Because the Alcatel ADSL modems ship without a password by default, an attacker may be able to gain access if this password has not been set. Users are encouraged to set a password when the device is first configured. This solution does not protect you from all of the vulnerabilities described above. In particular, a user supplied password does not prevent the use of the EXPERT account.

Block malicious traffic at your network perimeter

If you have a home firewall product you may be able to prevent the TFTP UDP bounce attack by filtering one or more of the following types of traffic:

  • packets with spoofed source addresses
  • packets with a source address of 255.255.255.255
  • packets with a destination port of echo (or other "simple" services)

Note that intruders who are able to gain access to your local area network may be able to gain unauthenticated TFTP access using mechanisms other than the TFTP UDP bounce method.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. When vendors report new information to the CERT/CC, we update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.

Alcatel

Alcatel Speed Touch ADSL modem Security

INFORMATION

There have been some discussions in the press regarding security of Alcatel DSL modems and the security of DSL services in general.

The major vulnerability referred to in the advisory (VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks), does not apply to mainstream Operating Systems used by residential and small business subscribers (e.g. Windows 95, 98, 98se, ME, and typical installations of NT4.0 Workstation, 2000 Professional and the latest commercial releases of Linux).

On Microsoft Windows Operating Systems, the "echo" service exploited to bounce TFTP traffic to the modem, is either not available as part of the OS (Windows 95, 98,98se, ME), or is not installed in a "typical" installation (NT4.0 Workstation and 2000 Professional).

It should be noted, however, that without a firewall, any PC in any configuration (home PC or in a LAN) is open for attacks by hackers, that can alter software, install viruses, spy information, etc. Especially PCs connected to the Internet through 'always on' Cable or DSL services should be protected through firewalls.

Therefore Alcatel highly recommends the use of firewalls as a general practice for always-on connections. Additionally Alcatel has started an initiative to qualify firewall software that will provide users with the highest possible degree of security. Alcatel will publish and update lists of recommended firewalls on its website in the near future.

The firewall recommendation is especially relevant for server applications, where a generic vulnerability for FTP-bounce may be present, as described in CA-1997-27.

One should in any case be aware of the fact that firewalls also continuously evolve to mitigate the subsequent security issues as they arise in the security experts community. Hence, the deployment of firewalls also inherently presumes an attitude towards the implementations of regular updates just as for anti-virus software.

General Security Considerations for broadband remote access service

Security in Modems and Networks

In any network there are two main types of security: network security and user security (more specifically, user content security).

Wide Area Network (WAN) security is concerned with protecting a network from malicious usage. Security at the Customer Premise Equipment (CPE) level is less available - unlike all other network levels -, since this equipment is not directly controlled by a Network Operator or an ISP. This is true for any type of CPE, including telephones, modems (analogue, DSL or cable) and fax machines. For a Network Operator's, ISP's or private network security can only be guaranteed at the network level. In other words, a network should stay operational at all times. Such type of security is already provided by Alcatel, built-in its DSLAM (operated by the service provider).

User security is concerned with protecting the content and local area network of an end-user. This type of security has to be implemented on Local Area Network (LAN) or PC level at the customer premises.

This is standard practice for any network connection (i.e. leased lines, cable modem, DSL). Generally such modems provide connectivity to the network and not security. User content security can be reinforced at the LAN level by installing a dedicated firewall software and/or hardware, either on the server or on the PC, or by installing a dedicated firewall device. Alcatel also provides DSL modems which have firewall security. User content and LAN security is the responsibility of the user.

There are many software and hardware products on the market to ensure security, including Alcatel products.

Modem security

Alcatel's modems are designed to allow users to alter the firmware.

This is a standard feature built into some of the Speed Touch modems to allow local or - in case of the Speed Touch Pro - remote software upgrades. Access from the LAN interface (i.e. local access) into the modem does not constitute a security problem, since the modem normally belongs to the person who is using it. (For this reason no remote access is possible on the Speed Touch Home).

On the Speed Touch Pro, a protection mechanism feature is implemented to ensure that nobody can gain remote access to the modem (or via the WAN/DSL interface). This mechanism guarantees that nobody from outside can access the modem and change modem settings.

Alcatel ships all modems with the protection activated. However, it's easy for a modem owner to deactivate the protection (the procedure for activating this protection mechanism is described below).

This protection can be switched off locally by the modem owner, in case the service provider wants to do upgrades or do remote management. The service provider normally manages this process, and the service provider explains to the end-user how to deactivate the protection and how to re-activate it again.

 

Specific Recommendations to this Advisory

This Advisory applies to Speed Touch Home up to Rel. 3.2.5, Speed Touch Pro up to Rel 3.2.5, Alcatel 1000 ANT Rel 3.1.

Advisory Statement

Alcatel ADSL modems grant unauthenticated TFTP access via User Datagram Protocol (UDP) bounce.

Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method for updating firmware and making configuration changes to the device. In conjunction with a common vulnerability, a remote attacker may be able to gain unauthenticated access as well.

Alcatel's answer

Correct. TFTP together with FTP are protocols that are used in the modem to upgrade the system software (firmware). This gives the capability to the user to benefit from new features at all times. This upgrade is done from the LAN network (or the user port) that can only be accessed by the modem user/owner.

However, this is an action that is not allowed from the WAN interface by external users.

Speed Touch Home modems (typically in bridged configuration) with no embedded firewall and used for LAN interconnect, give transparent access to the LAN. If this is used for connection to the Internet, additional measures have to be taken, since outside intruders can access the LAN and access the modem via a bouncing mechanism. Explanation on how to use the modem correctly and to alleviate this issue is described in the chapter: Measures for Speed Touch Home modems.

In any case one should note that the vat majority of operating systems used in residential of small business applications do not exhibit this security vulnerability (cf. non-exhaustive list above).

Advisory Statement

Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password.

Alcatel ADSL modems contain a special account (EXPERT) for gaining privileged access to the device. This account is secured via a challenge-response password authentication mechanism. While the use of such a mechanism is commendable, the algorithm used is not sufficiently strong. Attackers with knowledge of the algorithm used to compute the response are able to compute the correct response given information visible during the login process.

Alcatel's answer

This is correct. Alcatel provides expert level access for technical support and maintenance activities by service personnel. To avoid that the user accidentally enters this mode, this mode is not documented in the manual and is password protected. As such, the password is not intended to protect against intrusion of malicious users. The Speed Touch Pro offers another feature, called "system protection", providing this security. The system protection disables the capability of remotely (this is via a wide area network) accessing this expert level, which could be used by outside attackers.

Advisory Statement

Alcatel ADSL modems contain a null default password

The Alcatel Speed Touch ADSL modem ships with a null default password, permitting unauthenticated access via TELNET, HTTP, and FTP. As with the EXPERT account vulnerability, the device must have an externally accessible IP address.

Alcatel's answer

This is correct, there is no default password. During the installation, the user can configure the parameters, and protect this with it's own password. This is a standard practice. The same "system protection" offers additional security against malicious users, which are entering from the WAN side and are not owner of the modem. The same "system protection" guarantees this security. See question 2 for Speed Touch Home users.

Advisory Statement

Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface

To allow your ISP to upgrade the firmware of the ADSL modem remotely, unauthenticated TFTP access is provided to users with physical access to the wire on the WAN side of the modem. While this access is normally used legitimately by your ISP, an attacker could also abuse it with physical access to the wire outside of your home or at a local access point.

Alcatel's answer

Correct. This is true for all communication in general, e.g. voice traffic, leased line data traffic. Physical wire access to a public network by third parties is considered as crime. However, in cases where a high degree of security is required, specialized encryption methods are used such as IPSec are typically. This is a practice used by banks, insurance company's etc. is recommended whatever the data network is that is used for highly sensitive information.

What, if anything, can service providers do to guard against this problem in their network? What can consumers do to guard against the problem?

All modems that are shipped by Alcatel are by default "system protected", and this is the recommended default operation. As a result, in the majority of the cases, there is no real problem. In general, it is strongly disadvised that end-users alter this default setting. However, in certain cases where the service provider manages the modem (as a managed service) with the Speed Touch Pro, the "system protection" is disabled to be able to manage the modem remotely. See measures for Speed Touch Pro modems for more info.

 

Specific Measures for Speed Touch Home modems

Speed Touch Home modems in bridged mode provide transparent access to the LAN (e.g. homeworking, branch office). When the LAN is connected to the Internet, it is standard practice to provide additional security measures to shield the LAN environment from general accessibility from the Internet. Possible measures are:

1) For single PC connections or small home networks, it is recommended to disable the echo service on the Operating system, or to install a quality Firewall software on hosts.

2) For more advanced networks, a dedicated firewall is recommended, or equivalently, make use of Speed Touch Pro with Firewall.

3) Alternatively, the service provider can provide the protection in the network. The routers or broadband remote access servers can be configured to drop all packets with broadcast source address, which are considered illegal according to RFC1812.

 

Specific Measures for Speed Touch Pro modems

As explained before, in some cases the "system protection" is disabled when service providers offer a managed service. In those cases the user could enable the "system protection" on the Speed Touch Pro modem. However, we do not recommend this without consulting the service provider. Typically, in managed service, the modem is property of the service provider and should allow configuration by the service provider. In the case of a managed service, the service provider provides security at network level by configuring the broadband remote access server to only allow the management server of the service provider to communicate with the management interface of the modems.

If you need to verify or alter the configuration of the system protection, proceed as described below:

  • Setup a telnet connection to your modem. Telnet address is 10.0.0.138
  • Type "Enter" at the User Name prompt
  • Wait for the next prompt and then type the following:
    • => ip config
  • The information on you firmware protection feature is given in the second line of the response
    • If it is "ON", your modem has the security features activated and you have nothing to worry about.
    • If it is "OFF", you are vulnerable to the attacks. You can adjust the security settings as follows:
    • At the command prompt, type
      • => ip config firewalling on
      • => config save

Continuous updates regarding the security aspects of Alcatel DSL CPE are provided on the site http://www.alcatel.com/consumer/dsl/security.htm


The CERT Coordination Center would like to thank Tom Perrine and Tsutomu Shimomura of the San Diego Supercomputer Center for notifying us about this problem and their help in constructing this advisory.


Authors: This document is based on research by the SDSC and was written by Cory Cohen, Jeffrey P. Lanza, and John Shaffer.

Copyright 2001 Carnegie Mellon University.

Revision History

April 10, 2001:  Initial release
April 12, 2001:  Added revised Alcatel vendor statement, removed original statement