CERT Advisory CA-2001-08 Multiple Vulnerabilities in Alcatel ADSL Modems

Alcatel Speed Touch ADSL modem Security

INFORMATION

There have been some discussions in the press regarding security of Alcatel DSL modems and the security of DSL services in general.

The major vulnerability referred to in the advisory (VU#211736 - Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks), does not apply to mainstream Operating Systems used by residential and small business subscribers (e.g. Windows 95, 98, 98se, ME, and typical installations of NT4.0 Workstation, 2000 Professional and the latest commercial releases of Linux).

On Microsoft Windows Operating Systems, the "echo" service exploited to bounce TFTP traffic to the modem, is either not available as part of the OS (Windows 95, 98,98se, ME), or is not installed in a "typical" installation (NT4.0 Workstation and 2000 Professional).

It should be noted, however, that without a firewall, any PC in any configuration (home PC or in a LAN) is open for attacks by hackers, that can alter software, install viruses, spy information, etc. Especially PCs connected to the Internet through 'always on' Cable or DSL services should be protected through firewalls.

Therefore Alcatel highly recommends the use of firewalls as a general practice for always-on connections. Additionally Alcatel has started an initiative to qualify firewall software that will provide users with the highest possible degree of security. Alcatel will publish and update lists of recommended firewalls on its website in the near future.

The firewall recommendation is especially relevant for server applications, where a generic vulnerability for FTP-bounce may be present, as described in CA-1997-27.

One should in any case be aware of the fact that firewalls also continuously evolve to mitigate the subsequent security issues as they arise in the security experts community. Hence, the deployment of firewalls also inherently presumes an attitude towards the implementations of regular updates just as for anti-virus software.

Security in Modems and Networks

In any network there are two main types of security: network security and user security (more specifically, user content security).

Wide Area Network (WAN) security is concerned with protecting a network from malicious usage. Security at the Customer Premise Equipment (CPE) level is less available - unlike all other network levels -, since this equipment is not directly controlled by a Network Operator or an ISP. This is true for any type of CPE, including telephones, modems (analogue, DSL or cable) and fax machines. For a Network Operator's, ISP's or private network security can only be guaranteed at the network level. In other words, a network should stay operational at all times. Such type of security is already provided by Alcatel, built-in its DSLAM (operated by the service provider).

User security is concerned with protecting the content and local area network of an end-user. This type of security has to be implemented on Local Area Network (LAN) or PC level at the customer premises.

This is standard practice for any network connection (i.e. leased lines, cable modem, DSL). Generally such modems provide connectivity to the network and not security. User content security can be reinforced at the LAN level by installing a dedicated firewall software and/or hardware, either on the server or on the PC, or by installing a dedicated firewall device. Alcatel also provides DSL modems which have firewall security. User content and LAN security is the responsibility of the user.

There are many software and hardware products on the market to ensure security, including Alcatel products.

Alcatel's modems are designed to allow users to alter the firmware.

This is a standard feature built into some of the Speed Touch modems to allow local or - in case of the Speed Touch Pro - remote software upgrades. Access from the LAN interface (i.e. local access) into the modem does not constitute a security problem, since the modem normally belongs to the person who is using it. (For this reason no remote access is possible on the Speed Touch Home).

On the Speed Touch Pro, a protection mechanism feature is implemented to ensure that nobody can gain remote access to the modem (or via the WAN/DSL interface). This mechanism guarantees that nobody from outside can access the modem and change modem settings.

Alcatel ships all modems with the protection activated. However, it's easy for a modem owner to deactivate the protection (the procedure for activating this protection mechanism is described below).

This protection can be switched off locally by the modem owner, in case the service provider wants to do upgrades or do remote management. The service provider normally manages this process, and the service provider explains to the end-user how to deactivate the protection and how to re-activate it again.

This Advisory applies to Speed Touch Home up to Rel. 3.2.5, Speed Touch Pro up to Rel 3.2.5, Alcatel 1000 ANT Rel 3.1.

Alcatel ADSL modems grant unauthenticated TFTP access via User Datagram Protocol (UDP) bounce.

Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method for updating firmware and making configuration changes to the device. In conjunction with a common vulnerability, a remote attacker may be able to gain unauthenticated access as well.

Correct. TFTP together with FTP are protocols that are used in the modem to upgrade the system software (firmware). This gives the capability to the user to benefit from new features at all times. This upgrade is done from the LAN network (or the user port) that can only be accessed by the modem user/owner.

However, this is an action that is not allowed from the WAN interface by external users.

Speed Touch Home modems (typically in bridged configuration) with no embedded firewall and used for LAN interconnect, give transparent access to the LAN. If this is used for connection to the Internet, additional measures have to be taken, since outside intruders can access the LAN and access the modem via a bouncing mechanism. Explanation on how to use the modem correctly and to alleviate this issue is described in the chapter: Measures for Speed Touch Home modems.

In any case one should note that the vat majority of operating systems used in residential of small business applications do not exhibit this security vulnerability (cf. non-exhaustive list above).

Alcatel ADSL modems provide EXPERT administrative account with an easily reversible encrypted password.

Alcatel ADSL modems contain a special account (EXPERT) for gaining privileged access to the device. This account is secured via a challenge-response password authentication mechanism. While the use of such a mechanism is commendable, the algorithm used is not sufficiently strong. Attackers with knowledge of the algorithm used to compute the response are able to compute the correct response given information visible during the login process.

This is correct. Alcatel provides expert level access for technical support and maintenance activities by service personnel. To avoid that the user accidentally enters this mode, this mode is not documented in the manual and is password protected. As such, the password is not intended to protect against intrusion of malicious users. The Speed Touch Pro offers another feature, called "system protection", providing this security. The system protection disables the capability of remotely (this is via a wide area network) accessing this expert level, which could be used by outside attackers.

Alcatel ADSL modems contain a null default password

The Alcatel Speed Touch ADSL modem ships with a null default password, permitting unauthenticated access via TELNET, HTTP, and FTP. As with the EXPERT account vulnerability, the device must have an externally accessible IP address.

This is correct, there is no default password. During the installation, the user can configure the parameters, and protect this with it's own password. This is a standard practice. The same "system protection" offers additional security against malicious users, which are entering from the WAN side and are not owner of the modem. The same "system protection" guarantees this security. See question 2 for Speed Touch Home users.

Alcatel ADSL modems provide unauthenticated TFTP access via physical access to the WAN interface

To allow your ISP to upgrade the firmware of the ADSL modem remotely, unauthenticated TFTP access is provided to users with physical access to the wire on the WAN side of the modem. While this access is normally used legitimately by your ISP, an attacker could also abuse it with physical access to the wire outside of your home or at a local access point.

Correct. This is true for all communication in general, e.g. voice traffic, leased line data traffic. Physical wire access to a public network by third parties is considered as crime. However, in cases where a high degree of security is required, specialized encryption methods are used such as IPSec are typically. This is a practice used by banks, insurance company's etc. is recommended whatever the data network is that is used for highly sensitive information.

What, if anything, can service providers do to guard against this problem in their network? What can consumers do to guard against the problem?

All modems that are shipped by Alcatel are by default "system protected", and this is the recommended default operation. As a result, in the majority of the cases, there is no real problem. In general, it is strongly disadvised that end-users alter this default setting. However, in certain cases where the service provider manages the modem (as a managed service) with the Speed Touch Pro, the "system protection" is disabled to be able to manage the modem remotely. See measures for Speed Touch Pro modems for more info.

Speed Touch Home modems in bridged mode provide transparent access to the LAN (e.g. homeworking, branch office). When the LAN is connected to the Internet, it is standard practice to provide additional security measures to shield the LAN environment from general accessibility from the Internet. Possible measures are:

1) For single PC connections or small home networks, it is recommended to disable the echo service on the Operating system, or to install a quality Firewall software on hosts.

2) For more advanced networks, a dedicated firewall is recommended, or equivalently, make use of Speed Touch Pro with Firewall.

3) Alternatively, the service provider can provide the protection in the network. The routers or broadband remote access servers can be configured to drop all packets with broadcast source address, which are considered illegal according to RFC1812.

As explained before, in some cases the "system protection" is disabled when service providers offer a managed service. In those cases the user could enable the "system protection" on the Speed Touch Pro modem. However, we do not recommend this without consulting the service provider. Typically, in managed service, the modem is property of the service provider and should allow configuration by the service provider. In the case of a managed service, the service provider provides security at network level by configuring the broadband remote access server to only allow the management server of the service provider to communicate with the management interface of the modems.

If you need to verify or alter the configuration of the system protection, proceed as described below:

• Setup a telnet connection to your modem. Telnet address is 10.0.0.138
• Type "Enter" at the User Name prompt
• Wait for the next prompt and then type the following:
• => ip config
• The information on you firmware protection feature is given in the second line of the response
• If it is "ON", your modem has the security features activated and you have nothing to worry about.
• If it is "OFF", you are vulnerable to the attacks. You can adjust the security settings as follows:
• At the command prompt, type
• => ip config firewalling on
• => config save