The San Diego Supercomputer Center Monday revealed that it had found security vulnerabilities in certain ADSL “modems” manufactured by French communications equipment maker Alcatel.
The flaws could allow an attacker to take complete control of the device, including changing its configuration, uploading new firmware and disrupting the communications between the device and the telephone central office providing ADSL service.
Alcatel’s ADSL modems (actually ADSL-Ethernet router/bridges) are among the most popular in the industry. North American customers include SBC Communications, the biggest DSL provider in the U.S., BellSouth, Bell Canada, Verizon, New Edge, Telus and Sprint.
The Computer Emergency Response Team (CERT) Coordination Center Tuesday corroborated the SDSC’s findings with a security advisory of its own.
Two of Alcatel’s models are affected by the flaws — the Alcatel Speed Touch Home and the older Alcatel 1000 Network Termination device — though the SDSC said it had not tested other models.
“It is strongly suspected that the “Speed Touch Pro” software is at least very similar to that in the Speed Touch Home, so it is probable that the Pro is vulnerable to similar attacks,” the SDSC wrote in its security advisory. “Other members of the family running software derived from the same code base would also be expected to share these vulnerabilities.”
The flaws include user authentication issues, fully-accessible TFTP (Trivial File Transfer Protocol) servers, and a lack of validation of downloaded firmware.
First, Alcatel’s ADSL modems ship without a default password, allowing configuration read/write access without the use of a password using TELNET or HTTP. Also, the file structure of the device’s file systems can be examined with FTP using this method.
The modems also grant unauthenticated TFTP access from the LAN in order to allow configuration changes to the device and the updating of firmware. But CERT said that this, combined with one of several other common vulnerabilities, could allow a remote attacker to gain unauthorized access.
“For example, if a system on the LAN side of the ADSL modem has the UDP echo service enabled, a remote attacker may be able to spoof packets such that the ADSL modem will believe that this traffic originated from the local network,” CERT wrote in its security advisory. “By sending a packet to the UDP echo service with a spoofed source port of 69 (TFTP) and a source address of 255.255.255.255, the system providing the echo service can be tricked into sending a TFTP packet to the ADSL modem. If a system offering this service is accessible from the Internet it may be possible to use the system to attack the ADSL modem.”
Furthermore, CERT said that any mechanism for bouncing UDP packets off systems on the LAN side of the network may allow a remote attacker TFTP access to the device, which in turn allows the attacker to essentially gain complete control of the device.
The modems also allow unauthenticated TFTP access via physical access to the WAN interface. This is intended to allow ISPs to upgrade the firmware of the modems remotely, but CERT said it can also be abused by an attacker with physical access to the wire outside the homes of the modems’ users.
Finally, Alcatel modems contain a special administrative account, called EXPERT, for gaining privileged access to the device. The feature is secured by a challenge-response password authentication mechanism, but the algorithm used for this isn’t strong enough to protect the account.
“Attackers who know the algorithm used to compute the response can compute the correct response using information given to them during the login process,” CERT said.
To combat the vulnerabilities, CERT recommended owners of Alcatel ADSL modems take two steps. First, CERT said owners should set a password when the device is first configured. However, because a user-set password does not prevent the use of the EXPERT account, CERT also recommended the use of a home firewall traffic that can prevent TFTP UDP bounce attacks by filtering packets with spoofed source addresses, packets with a source address of 255.255.255.255, or packets with a destination port of echo.