Title: Alcatel Speed Touch ADSL Insecure Administration Interface Vulnerability
Severity: CRITICAL
Description:
In the factory shipped state, no password is set for the device's administration interface. This could permit a user to reconfigure the unit, or set the password and prevent the device from being reconfigured.
Once a password has been set, the device remains vulnerable to attack in two ways.
- TFTP: The device's TFTP service can be used to overwrite configuration files. This approach may allow an attacker to set or modify the administration password even if it has been previously set.
- Cryptographic attack: by connecting to the "EXPERT" account, a challenge-response sequence is initiated which
is reportedly vulnerable to cryptographic attack. Details of the challenge-response algorithm were not made publicly available.
The device's configuration settings are accessible through FTP, HTTP and Telnet interfaces. In addition, the device's file structure is exposed through FTP. All of these services allow the modification of configuration information.
By default, no password is set for any of these services, so no authentication is required for access.
*** NOTE: Shortly after this advisory was published, the vendor, Alcatel, posted their response to the reported vulnerabilities in their modems.
In addition to providing general mitigating strategies designed to lessen the impact of these isses (such as firewall software and/or a dedicated firewall device or the Alcatel Speed Touch modem with Firewall capabilities), the vendor response indicates that only the Speed Touch Pro is vulnerable to remote changes to firmware code and configuration settings, and that this model can be made secure from such interference by the activation of an inbuilt security feature disabling remote access from the WAN/DSL interface. Therefore, while the discoverer's initial advisory states that the entire family of devices may be vulnerable, the vendor limits the scope of this vulnerability to a single, misconfigured model of the Speed Touch line.
This discussion will be updated regularly as further details and clarification emerge.
Affected Products:
- Alcatel Speed Touch Home KHDSAA.108
- Alcatel Speed Touch Home KHDSAA.132
- Alcatel Speed Touch Home KHDSAA.133
- Alcatel Speed Touch Home KHDSAA.134
References:
- Alcatel: Alcatel ADSL Modem Security Information
- Alcatel: Alcatel Speed Touch Home Product Information
- Alcatel: Alcatel Speed Touch Pro Product Information
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
