Alcatel ADSL Modem

Created 4/11/01

Impact

Implementation flaws could allow a remote attacker to change the configuration of an Alcatel Speed Touch ADSL modem, create a denial of service, or execute malicious code on the modem.

Background

The Alcatel ADSL (Asymmetric Digital Subscriber Line) series of modems provides high-speed remote access to the Internet. The Alcatel Speed Touch ADSL series, designed for homes or small offices, is more accurately described as a series of routers or bridges, which connect a LAN to the Internet. These modems have an IP address of 10.0.0.138 by default, and feature HTTP, FTP, TFTP, and Telnet interfaces.

The Problem

The Alcatel Speed Touch ADSL line of modems and the Alcatel 1000 ADSL Network Termination Device are affected by the following implementation flaws.
  1. By default, there is no password required for FTP or Telnet access to the modem.
  2. The built-in EXPERT account authenticates using a challenge-response mechanism which uses the same encryption algorithm and variables across multiple devices and software versions. Anyone who knows the algorithm could gain access to the modem using the EXPERT account even if a password has been set.
  3. TFTP is always enabled and accessible without authentication from the local side of the modem. This service could be exploited from the outside by "bouncing" spoofed UDP datagrams off of the echo port of any machine on the local LAN, so that the sessions appear to come from the local LAN. Therefore, if any machine on the local LAN has the echo service enabled, a remote attacker could exploit the TFTP service to view or change the device's configuration or to change the device's firmware. Thus it would be possible for an attacker to replace the device's firmware with malicious code.
  4. TFTP access is permitted to users with physical access to the wire on the external side of the modem. Although this access is normally used by your service provider for providing firmware upgrades, it could be used by an attacker with physical access to the wire outside the building.

Resolution

Unfortunately there is no fix for many of these problems, but the chances of successful exploitation can be reduced by setting a password on the modem, filtering spoofed packets at the firewall, and blocking access to the echo service.

Where can I read more about this?

This vulnerability was reported in CERT Advisory 2001-08.