Date: Mon, 8 May 2000 13:54:17 -0700
From: Stephen Friedl <friedl@MTNDEW.COM.>
To: [email protected]Subject: Advisory: Netopia R9100 router vulnerability
Security Advisory: Netopia R9100 DSL router
By: Stephen Friedl ([email protected])
Date: 8 May 2000
Short summary:
The Netopia R9100 permits a user not authorized with a
special security password to neverthless modify the SNMP
community strings, including enabling SNMP access that should
be disabled.
Device Summary:
The Netopia R9100 is an Ethernet-to-Ethernet router intended
mainly for the DSL and cable modem markets, and it supports
NAT and various kinds of tunneling. It is managed with telnet,
HTTP, and with SNMP from either the inside or the outside
Ethernet interfaces.
Product information on this device can be found at:
http://www.netopia.com/equipment/routers/r9100/
One of the many setup screens permits the setting of SNMP
community names, both RO and RW, and setting the entries
to blanks effectively disables SNMP access. The security
setup screen (which requires a separate password from that
used during login) can be configured to restrict access to
any of the SNMP screens.
Vulnerability:
The R9100 has a command-line mode that is reached by typing
control-N after the user has passed the initial login test.
At the "#" prompt one can then do most management of the device.
This includes the setting of SNMP community strings in spite
of the limitation imposed by the administrator:
# set snmp community RO wookie
or
# set snmp community RW wookie
Impact:
Relatively low. The exploit can only be attempted by those
with existing access login to the device, and it doesn't seem
terribly common to have users allowed to manage nearly everything
except the SNMP strings.
Workaround:
Deny access to users who can't be trusted.
Versions Tested:
v4.6.2 (the latest) is the only version tested. Older
versions probably vulnerable also.
Other similar Netopia products possibly vulnerable also
Response from Netopia:
The new behavior will be when SNMP access is disabled in the
Security screen, and an attempt is made to configure the SNMP
read-write string via the Command Line and Telnet, the user
will get an error: -400 Access Denied.
This fix will be in the next release of firmware, version 4.7
(approx. end of May)
Steve
---
Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561
3B2-kind-of-guy |I speak for me only| KA8CMY |[email protected]
