X-RDate: Tue, 12 May 1998 11:58:00 +0600 (YEKST)
X-UIDL: 35317d340000022a
Date: Sun, 10 May 1998 08:43:50 -0500
From: January <january@spy.net.>
To: [email protected]Subject: Security Vulnerability in Motorola CableRouters
A security hole has been identified in Motorola CableRouters that allows
administrative access.
Motorola produces cable devices that cable companies use to provide
internet access to subscribers. The customer equipment is a CableModem, a
white box with a cable line in one side and an ethernet line out the
other. The equipment used in the cable company's facility (headend) is
called a CableRouter. It is used to connect the subscribers from the
hybrid fiber coax (HFC) cable plant to the Internet via a fast ethernet,
FDDI, or ATM network. It is possible to configure the CableRouter via
Telnet/FTP and via SNMP.
Under normal use, the CableRouter can be configured via Telnet/FTP from a
list of three "trusted" hosts, or Telnet/FTP may be alltogether disabled
when it is deemed unnecessary (the cable company is doing out-of-band
management on another interface, for example). However, a serious
vulnerability has been identified that will allow ANY host to connect,
regardless of whether Telnet/FTP is disabled or not.
This vulnerability exists in all known releases of the CableRouter's
software. The CableRouter leaves an open telnet port at port 1024. This
port is always open, and does not obey any access list of "trusted IP's."
Furthermore, the CableRouter performs absolutely NO logging of connections
-- you can connect and never be seen.
If you are a CableModem subscriber, you cannot directly connect to the
CableRouter you are connected to. But you can from the outside world. For
example:
$ telnet xxx.xxx.xxx.xxx 23 (try connecting on the normal telnet port)
Trying xxx.xxx.xxx.xxx...
telnet: Unable to connect to remote host: Connection refused
$ telnet xxx.xxx.xxx.xxx 1024 (try connecting to the vulnerable port)
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^['.
(press enter)
Login:
Password:
Invalid name.
On Motorola CableRouters, the default login is 'cablecom' (without the
quotes) and the default password is 'router'. Many cable companies never
change this, assuming that only the trusted IP's can connect.
Furthermore, Motorola has announced that there is a memory leak in the
telnet process of their CableRouter. If you telnet to it enough, the
router will eventually run out of memory and crash.
There is no known fix for this other than to filter port 1024 on the
core/border router connected to the CableRouter. To compound the problem,
Motorola is quite aware of this vulnerability but does not inform their
customers, believing that it is "too" sensitive. Their official statement
to customers has been that there are no undocumented issues in the latest
release of their software. So many cable companies have vulnerable
systems supporting thousands of subscribers... And they don't even know
it.