Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SNMP security issues in D-Link DSL Broadband Modem/Router
From: <m.singh () tesco net>
Date: Thu, 27 Mar 2003 16:27:07 +0000

I told dlink about this problem last year Sepember. They told they will release a fix I have not see a fix. 
It looks like dlink will not be doing any thing about this problem. 

In futher I will post here as well. 

Thanks 

Malkit Singh


From: Arhont Information Security <infosec () arhont com>
Date: 2003/03/27 Thu PM 03:31:41 GMT
To: bugtraq () securityfocus com
Subject: SNMP security issues in D-Link DSL Broadband Modem/Router



Arhont Ltd    -       Information Security Company



Arhont Advisory by:           Andrei Mikhailovsky (www.arhont.com)

Advisory:                     D-Link DSL Broadband Modem/Router 

Router Model Name:            D-Link DSL-500

Model Specific:                       Other models might be vulnerable as well

Manufacturer site:            http://www.dlink.com

Manufacturer contact (UK):    Tel: 0800 9175063 / 0845

0800288               

Contact Date:                 06/03/2003



DETAILS:



While performing a general security testing of a

network, we have found several security vulnerability

issues with the D-Link DSL Broadband Modem DSL-500



Issue 1:

The default router installation enables SNMP (Simple

Network Management Protocol) server with default

community names for read and read/write access. The

DSL-500 modem is configured alow SNMP access from the

WAN (Wide Area Network)/Internet side as well as from LAN.



andrei () whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c

public 192.168.0.1 -v 1

sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30

Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk

Copyright (c) 2000 Dlink Corp.

sysObjectID.0 = OID: enterprises.171.10.30.1

sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47

...

...



The community name: public 



allows read access to the mentioned devices, allowing

enumeration and gathering of sensitive network

information.  



The community name: private 



allows read/write access to devices, thus allowing

change of the network settings of the broadband modem.



Impact: This vulnerability allows local and internet

malicious attackers to retrieve and change network

settings of the modem.



Risk Factor: Medium/High



Possible Solutions:  Firewall UDP port 161 from LAN/WAN

sides, as it is not possible to disable SNMP service


from the web management interface.



Issue 2:

The ISP account information including login name and

password is stored on the modem without encryption,  It

is therefore possible to retrieve this information with

simple SNMP gathering utility such as snmpwalk:



andrei () whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c

public 192.168.0.1 -v 1

sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30

Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk

...

...

...

transmission.23.2.3.1.5.2.1 = STRING:

"username () dsl-provider"

...

...

transmission.23.2.3.1.6.2.1 = STRING: "password-string"

...

...

... 



Impact: This vulnerability allows LAN and internet

malicious attackers to retrieve confidential information.



Risk Factor: Very High



Possible Solutions:  As a temporary solution you should

firewall UDP port 161 from LAN/WAN sides, as it is not

possible to disable SNMP service from the web

management interface.



According to the Arhont Ltd. policy, all of the found

vulnerabilities and security issues will be reported to

the manufacturer 7 days before releasing them to the

public domains (such as CERT and BUGTRAQ), unless

specifically requested by the manufacturer.



If you would like to get more information about this

issue, please do not hesitate to contact Arhont team at

infosec () arhont com 





Kind Regards,



Andrei Mikhailovsky

Arhont Ltd

http://www.arhont.com

GnuPG Keyserver: blackhole.pca.dfn.de

GnuPG Key:     0xFF67A4F4




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]