Original release date: April 10, 2001<BR>
Last revised: April 12, 2001<BR>
Source: CERT/CC<BR>
<P>A complete revision history can be found at the end of this file.
<A NAME="affected">
<H3>Systems Affected</H3>
<UL>
<LI>Alcatel Speed Touch Home ADSL Modem</LI>
<LI>Alcatel 1000 ADSL Network Termination Device</LI>
</UL>
<A NAME="overview">
<H2>Overview</H2>
<P>The <A HREF="http://www.sdsc.edu">San Diego Supercomputer
Center</A> (SDSC) has recently discovered several vulnerabilities in
the Alcatel Speed Touch Asymmetric Digital Subscriber Line (ADSL)
modem. These vulnerabilities are the result of weak authentication
and access control policies and exploiting them will lead to one or
more of the following: unauthorized access, unauthorized monitoring,
information leakage, denial of service, and permanent disability of
affected devices.
<P>The SDSC has published additional information regarding these
vulnerabilities at
<DL>
<DD><A HREF="http://security.sdsc.edu/self-help/alcatel/">
http://security.sdsc.edu/self-help/alcatel/</A>
</DL>
<A NAME="description">
<H2>I. Description</H2>
<B><P> <A HREF="http://www.kb.cert.org/vuls/id/211736">VU#211736</A> -
Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
</B>
<P>Alcatel ADSL modems allow unauthenticated Trivial File Transfer
Protocol (TFTP) access from the local area network (LAN) as a method
to update firmware and to make configuration changes to the device.
In conjunction with one of several common vulnerabilities, a remote
attacker may be able to gain unauthenticated access as well.
<P>For example, if a system on the LAN side of the ADSL modem has the
UDP echo service enabled, a remote attacker may be able to spoof
packets such that the ADSL modem will believe that this traffic
originated from the local network. By sending a packet to the UDP
echo service with a spoofed source port of 69 (TFTP) and a source
address of 255.255.255.255, the system providing the echo service can
be tricked into sending a TFTP packet to the ADSL modem. If a system
offering this service is accessible from the Internet it may be
possible to use the system to attack the ADSL modem.
<P>Any mechanism for "bouncing" UDP packets off systems on the LAN
side of the network may potentially allow a remote attacker to gain
TFTP access to the device. Gaining TFTP access to the device allows
the remote attacker to essentially gain complete control of the
device.
<B><P><A HREF="http://www.kb.cert.org/vuls/id/243592">VU#243592</A> -
Alcatel ADSL modems provide EXPERT administrative account with an
easily reversible encrypted password
</B>
<P>Alcatel ADSL modems contain a special account (EXPERT) for gaining
privileged access to the device. This account is secured via a
challenge-response password authentication mechanism. While the use
of such a mechanism is commendable, the algorithm used is not
sufficiently strong. Attackers who know the algorithm used to compute
the response can compute the correct response using information given
to them during the login process.
<P>Because the EXPERT account is accessible via TELNET, HTTP, and FTP,
the ADSL modem must have an IP address that is accessible from the
Internet to exploit this vulnerability. Alcatel ADSL products do not
enable this feature over the wide area network (WAN) interface by
default. Note however, that an attacker with TFTP access may be able
to reconfigure the device to enable this feature.
<P>This authentication mechanism is present even if the user has set a
user supplied password.
<P>Any problem or vulnerability on your internal network that allows
an intruder to communicate with the modem may lead to its compromise,
including Trojan horses, compromised systems, or other "bounce"
vulnerabilities like the FTP bounce vulnerability described in
<DL><DD>
<A HREF="http://www.cert.org/tech_tips/ftp_port_attacks.html">
http://www.cert.org/tech_tips/ftp_port_attacks.html</A>
</DL>
<B><P><A HREF="http://www.kb.cert.org/vuls/id/212088">VU#212088</A> -
Alcatel ADSL modems contain a null default password
</B>
<P>The Alcatel Speed Touch ADSL modem ships with a null default
password, permitting unauthenticated access via TELNET, HTTP, and FTP.
As with the EXPERT account vulnerability, the device must have an
externally accessible IP address.
<B><P><A HREF="http://www.kb.cert.org/vuls/id/490344">VU#490344</A> -
Alcatel ADSL modems provide unauthenticated TFTP access via physical
access to the WAN interface
</B>
<P>To allow your ISP to upgrade the firmware of the ADSL modem
remotely, unauthenticated TFTP access is provided to users with
physical access to the wire on the WAN side of the modem. While this
access is normally used by your ISP, it could also be abused by an
attacker with physical access to the wire outside of your home.
<A NAME="impact">
<H2>II. Impact</H2>
<B><P><A HREF="http://www.kb.cert.org/vuls/id/211736">VU#211736</A> -
Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
</B>
<P>A remote attacker may be able to gain access to perform TFTP
operations. These operations include
<UL>
<LI>inspection of configuration data</LI>
<LI>recovery and setting of passwords</LI>
<LI>inspection and updates to the firmware</LI>
<LI>destructive updates to the firmware</LI>
<LI>malicious custom updates to the firmware</LI>
</UL>
<P>Note that the Alcatel ADSL modems do not provide any mechanism for
determining the validity of firmware updates, so a remote attacker may
be able to install custom firmware that operated as a distributed
denial of service client or a network sniffer. Similarly, an attacker
could produce an invalid firmware revision that would disable the
device completely, leaving victims no alternative but to return the
disabled unit to the manufacturer.
<B><P><A HREF="http://www.kb.cert.org/vuls/id/243592">VU#243592</A> -
Alcatel ADSL modems provide EXPERT administrative account with an easily
reversible encrypted password
</B>
<P>Attackers who are able to connect to the ADSL modem can enter a
predictable user ID and password to gain privileged access to the
device. This access can be used to reconfigure the device,
potentially introducing additional security weaknesses.
<B><P><A HREF="http://www.kb.cert.org/vuls/id/212088">VU#212088</A> -
Alcatel ADSL modems contain a null default password
</B>
<P>Unless the user or Internet service provider changes the default
password of an affected device, a remote attacker can access the modem
via TELNET, HTTP, or FTP. In the case of TELNET and HTTP, this
vulnerability grants the attacker read and write access to device
configuration. For FTP, this vulnerability allows the attacker to
browse the file structure of the affected device.
<B><P><A HREF="http://www.kb.cert.org/vuls/id/490344">VU#490344</A> -
Alcatel ADSL modems provide unauthenticated TFTP access via physical
access to the WAN interface
</B>
<P>An attacker with physical access to your wire may be able to gain
unauthenticated TFTP access to the device with the same impacts as
described in the "bounce" vulnerability
<A HREF="http://www.kb.cert.org/vuls/id/211736">(VU#211736)</A>.
<A NAME="solution">
<H2>III. Solution</H2>
<H4>Set a password for your ADSL modem</H4>
<DL>
<DD>
<P>Because the Alcatel ADSL modems ship without a password by default,
an attacker may be able to gain access if this password has not been
set. Users are encouraged to set a password when the device is first
configured. This solution does not protect you from all of the
vulnerabilities described above. In particular, a user supplied
password does not prevent the use of the EXPERT account.
</DD>
</DL>
<H4>Block malicious traffic at your network perimeter</H4>
<DL>
<DD>
<P>If you have a home firewall product you may be able to prevent the
TFTP UDP bounce attack by filtering one or more of the following types
of traffic:</DD>
<UL>
<LI>packets with spoofed source addresses</LI>
<LI>packets with a source address of 255.255.255.255</LI>
<LI>packets with a destination port of echo (or other "simple" services)</LI>
</UL>
<P>Note that intruders who are able to gain access to your local area
network may be able to gain unauthenticated TFTP access using
mechanisms other than the TFTP UDP bounce method.
</DD>
</DL>
<A NAME="vendors">
<H2>Appendix A. - Vendor Information</H2>
<P>This appendix contains information provided by vendors for this
advisory. When vendors report new information to the CERT/CC, we
update this section and note the changes in our revision history. If
a particular vendor is not listed below, we have not received their
comments.</P>
<!-- end vendor -->
<A NAME="alcatel">
<H4>Alcatel</H4>
<DL><DD>
<P><B>Alcatel Speed Touch ADSL modem Security</B>
<P>INFORMATION
<P>There have been some discussions in the press regarding security of
Alcatel DSL modems and the security of DSL services in general. </P>
<P>The major vulnerability referred to in the advisory (<I>VU#211736 -
Alcatel ADSL modems grant unauthenticated TFTP access via Bounce
Attacks</I>), does not apply to mainstream Operating Systems used by
residential and small business subscribers (e.g. Windows 95, 98, 98se, ME,
and typical installations of NT4.0 Workstation, 2000 Professional and the
latest commercial releases of Linux). </P>
<P>On Microsoft Windows Operating Systems, the "echo" service
exploited to bounce TFTP traffic to the modem, is either not available as
part of the OS (Windows 95, 98,98se, ME), or is not installed in a
"typical" installation (NT4.0 Workstation and 2000
Professional). </P>
<P>It should be noted, however, that without a firewall, any PC in any
configuration (home PC or in a LAN) is open for attacks by hackers, that
can alter software, install viruses, spy information, etc. Especially PCs
connected to the Internet through 'always on' Cable or DSL services should
be protected through firewalls.</P>
<P>Therefore Alcatel highly recommends the use of firewalls as a general
practice for always-on connections. Additionally Alcatel has started an
initiative to qualify firewall software that will provide users with the
highest possible degree of security. Alcatel will publish and update lists
of recommended firewalls on its website in the near future.</P>
<P>The firewall recommendation is especially relevant for server
applications, where a generic vulnerability for FTP-bounce may be present,
as described in CA-1997-27. </P>
<P>One should in any case be aware of the fact that firewalls also
continuously evolve to mitigate the subsequent security issues as they
arise in the security experts community. Hence, the deployment of
firewalls also inherently presumes an attitude towards the implementations
of regular updates just as for anti-virus software.</P>
<B><P>General Security Considerations for broadband remote access service</P></B>
<P><B>Security in Modems and Networks</B>
<P>In any network there are two main types of security: network security
and user security (more specifically, user content security). </P>
<B><P>Wide Area Network (WAN) security</B> is concerned with protecting a
network from malicious usage. Security at the Customer Premise Equipment
(CPE) level is less available - unlike all other network levels -, since
this equipment is not directly controlled by a Network Operator or an
ISP. This is true for any type of CPE, including telephones, modems
(analogue, DSL or cable) and fax machines. For a Network Operator's, ISP's
or private network security can only be guaranteed at the network
level. In other words, a network should stay operational at all
times. Such type of security is already provided by Alcatel, built-in its
DSLAM (operated by the service provider).</P>
<B><P>User security</B> is concerned with protecting the content and local
area network of an end-user. This type of security has to be implemented
on Local Area Network (LAN) or PC level at the customer premises.</P>
<P>This is standard practice for any network connection (i.e. leased
lines, cable modem, DSL). Generally such modems provide connectivity to
the network and not security. User content security can be reinforced at
the LAN level by installing a dedicated firewall software and/or hardware,
either on the server or on the PC, or by installing a dedicated firewall
device. Alcatel also provides DSL modems which have firewall
security. User content and LAN security is the responsibility of the
user.</P>
<P>There are many software and hardware products on the market to ensure
security, including Alcatel products.</P>
<B><P>Modem security</P></B>
<P>Alcatel's modems are designed to allow users to alter the
firmware. </P>
<P>This is a standard feature built into some of the Speed Touch modems to
allow local or - in case of the Speed Touch Pro - remote software
upgrades. Access from the LAN interface (i.e. local access) into the modem
does not constitute a security problem, since the modem normally belongs
to the person who is using it. (For this reason no remote access is
possible on the Speed Touch Home).</P>
<P>On the Speed Touch Pro, a protection mechanism feature is implemented
to ensure that nobody can gain remote access to the modem (or via the
WAN/DSL interface). This mechanism guarantees that nobody from outside can
access the modem and change modem settings. </P>
<P>Alcatel ships all modems with the protection activated. However, it's
easy for a modem owner to deactivate the protection (the procedure for
activating this protection mechanism is described below). </P>
<P>This protection can be switched off locally by the modem owner, in case
the service provider wants to do upgrades or do remote management. The
service provider normally manages this process, and the service provider
explains to the end-user how to deactivate the protection and how to
re-activate it again.</P>
<P> </P>
<B><P>Specific Recommendations to this Advisory</P>
</B><P>This Advisory applies to Speed Touch Home up to Rel. 3.2.5, Speed
Touch Pro up to Rel 3.2.5, Alcatel 1000 ANT Rel 3.1. </P>
<B><P>Advisory Statement </P></B>
<P>Alcatel ADSL modems grant unauthenticated TFTP access via User Datagram
Protocol (UDP) bounce.</P>
<P>Alcatel ADSL modems allow unauthenticated Trivial File Transfer
Protocol (TFTP) access from the local area network (LAN) as a method for
updating firmware and making configuration changes to the device. In
conjunction with a common vulnerability, a remote attacker may be able to
gain unauthenticated access as well.</P>
<B><P>Alcatel's answer</P></B>
<P>Correct. TFTP together with FTP are protocols that are used in the
modem to upgrade the system software (firmware). This gives the
capability to the user to benefit from new features at all times. This
upgrade is done from the LAN network (or the user port) that can only be
accessed by the modem user/owner. </P>
<P>However, this is an action that is not allowed from the WAN interface
by external users. </P>
<P>Speed Touch Home modems (typically in bridged configuration) with no
embedded firewall and used for LAN interconnect, give transparent access
to the LAN. If this is used for connection to the Internet, additional
measures have to be taken, since outside intruders can access the LAN and
access the modem via a bouncing mechanism. Explanation on how to use the
modem correctly and to alleviate this issue is described in the chapter:
Measures for Speed Touch Home modems.</P>
<P>In any case one should note that the vat majority of operating systems
used in residential of small business applications do not exhibit this
security vulnerability (cf. non-exhaustive list above).</P>
<B><P>Advisory Statement </P>
</B><P>Alcatel ADSL modems provide EXPERT administrative account with an
easily reversible encrypted password.</P>
<P>Alcatel ADSL modems contain a special account (EXPERT) for gaining
privileged access to the device. This account is secured via a
challenge-response password authentication mechanism. While the use of
such a mechanism is commendable, the algorithm used is not sufficiently
strong. Attackers with knowledge of the algorithm used to compute the
response are able to compute the correct response given information
visible during the login process.</P>
<B><P>Alcatel's answer</P></B>
<P>This is correct. Alcatel provides expert level access for technical
support and maintenance activities by service personnel. To avoid that
the user accidentally enters this mode, this mode is not documented in the
manual and is password protected. As such, the password is not intended
to protect against intrusion of malicious users. The Speed Touch Pro
offers another feature, called "system protection", providing
this security. The system protection disables the capability of remotely
(this is via a wide area network) accessing this expert level, which could
be used by outside attackers. </P>
<B><P>Advisory Statement </P></B>
<P>Alcatel ADSL modems contain a null default password</P>
<P>The Alcatel Speed Touch ADSL modem ships with a null default password,
permitting unauthenticated access via TELNET, HTTP, and FTP. As with the
EXPERT account vulnerability, the device must have an externally
accessible IP address.</P>
<B><P>Alcatel's answer</P></B>
<P>This is correct, there is no default password. During the
installation, the user can configure the parameters, and protect this with
it's own password. This is a standard practice. The same "system
protection" offers additional security against malicious users, which
are entering from the WAN side and are not owner of the modem. The same
"system protection" guarantees this security. See question 2
for Speed Touch Home users.</P>
<B><P>Advisory Statement </P></B>
<P>Alcatel ADSL modems provide unauthenticated TFTP access via physical
access to the WAN interface</P>
<P>To allow your ISP to upgrade the firmware of the ADSL modem remotely,
unauthenticated TFTP access is provided to users with physical access to
the wire on the WAN side of the modem. While this access is normally used
legitimately by your ISP, an attacker could also abuse it with physical
access to the wire outside of your home or at a local access point.</P>
<B><P>Alcatel's answer</P></B>
<P>Correct. This is true for all communication in general, e.g. voice
traffic, leased line data traffic. Physical wire access to a public
network by third parties is considered as crime. However, in cases where
a high degree of security is required, specialized encryption methods are
used such as IPSec are typically. This is a practice used by banks,
insurance company's etc. is recommended whatever the data network is that
is used for highly sensitive information.</P>
<P>What, if anything, can service providers do to guard against this
problem in their network? What can consumers do to guard against the
problem?</P>
<P>All modems that are shipped by Alcatel are by default "system
protected", and this is the recommended default operation. As a
result, in the majority of the cases, there is no real problem. In
general, it is strongly disadvised that end-users alter this default
setting. However, in certain cases where the service provider manages the
modem (as a managed service) with the Speed Touch Pro, the "system
protection" is disabled to be able to manage the modem remotely. See
measures for Speed Touch Pro modems for more info.</P>
<P> </P>
<B><P>Specific Measures for Speed Touch Home modems</P>
</B><P>Speed Touch Home modems in bridged mode provide transparent access
to the LAN (e.g. homeworking, branch office). When the LAN is connected
to the Internet, it is standard practice to provide additional security
measures to shield the LAN environment from general accessibility from the
Internet. Possible measures are: </P>
<P>1) For single PC connections or small home networks, it is recommended
to disable the echo service on the Operating system, or to install a
quality Firewall software on hosts.</P>
<P>2) For more advanced networks, a dedicated firewall is recommended, or
equivalently, make use of Speed Touch Pro with Firewall. </P>
<P>3) Alternatively, the service provider can provide the protection in
the network. The routers or broadband remote access servers can be
configured to drop all packets with broadcast source address, which are
considered illegal according to RFC1812.</P> <P> </P>
<B><P>Specific Measures for Speed Touch Pro modems</P>
</B><P>As explained before, in some cases the "system
protection" is disabled when service providers offer a managed
service. In those cases the user could enable the "system
protection" on the Speed Touch Pro modem. However, we do not
recommend this without consulting the service provider. Typically, in
managed service, the modem is property of the service provider and should
allow configuration by the service provider. In the case of a managed
service, the service provider provides security at network level by
configuring the broadband remote access server to only allow the
management server of the service provider to communicate with the
management interface of the modems.</P>
<P>If you need to verify or alter the configuration of the system
protection, proceed as described below:</P>
<UL>
<LI>Setup a telnet connection to your modem. Telnet address is 10.0.0.138</LI>
<LI>Type "Enter" at the User Name prompt </LI>
<LI>Wait for the next prompt and then type the following:</LI>
<UL>
<LI>=> ip config</LI>
</UL>
<LI>The information on you firmware protection feature is given in the
second line of the response</LI>
<UL>
<LI>If it is "ON", your modem has the security features
activated and you have nothing to worry about.</LI>
<LI>If it is "OFF", you are vulnerable to the
attacks. You can adjust the security settings as follows:</LI>
<LI>At the command prompt, type</LI>
<UL>
<LI>=> ip config firewalling on</LI>
<LI>=> config save </LI>
</UL>
</UL>
</UL>
<P>Continuous updates regarding the security aspects of Alcatel DSL CPE
are provided on the site <A
HREF="http://www.alcatel.com/consumer/dsl/security.htm">http://www.alcatel.com/consumer/dsl/security.htm</A></P>
</DL>
<!-- end vendor -->
<HR NOSHADE>
<P>The CERT Coordination Center would like to thank Tom Perrine and
Tsutomu Shimomura of the San Diego Supercomputer Center for notifying
us about this problem and their help in constructing this
advisory.</P>
<P></P>
<HR NOSHADE>
<P>Authors: This document is based on research by the SDSC and was written
by <A HREF="mailto:cert@cert.org?subject=CA-2001-08%20Feedback%20VU%23211736%20VU%23212088%20VU%23243592%20VU%23490344">Cory Cohen</A>, Jeffrey P. Lanza, and John Shaffer.
<P></P>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 2001 Carnegie Mellon University.</P>
<P>Revision History
<PRE>
April 10, 2001: Initial release
April 12, 2001: Added revised Alcatel vendor statement, removed original statement
</PRE>
|