Alcatel ADSL Modem
Created 4/11/01
Impact
Implementation flaws could allow a remote attacker to
change the configuration of an Alcatel Speed Touch ADSL modem,
create a denial of service, or execute malicious code on
the modem.
Background
The Alcatel ADSL
(Asymmetric Digital Subscriber Line) series of modems provides high-speed
remote access to the Internet.
The Alcatel Speed Touch ADSL
series, designed for homes or small offices, is more accurately described
as a series of routers or bridges, which connect a LAN to the Internet.
These modems have an IP address of 10.0.0.138 by default, and
feature HTTP, FTP, TFTP, and
Telnet interfaces.
The Problem
The Alcatel Speed Touch ADSL line of modems and the Alcatel
1000 ADSL Network Termination Device are affected by
the following implementation flaws.
- By default, there is no password required for
FTP or Telnet access to the
modem.
- The built-in EXPERT account authenticates using
a challenge-response mechanism which uses the same encryption
algorithm and variables across multiple devices and software versions.
Anyone who knows the algorithm could gain access to the modem
using the EXPERT account even if a password has been set.
- TFTP is always enabled and accessible without authentication
from the local side of the modem. This service could be
exploited from the outside by "bouncing" spoofed UDP datagrams off of
the echo port of any machine on the local LAN, so that the
sessions appear to come from the local LAN.
Therefore, if any machine on the local LAN has the echo
service enabled, a remote attacker could exploit the
TFTP service to view or
change the device's configuration or to change the device's
firmware. Thus it would be possible for an attacker to
replace the device's firmware with malicious code.
- TFTP access is permitted to users with physical access
to the wire on the external side of the modem. Although
this access is normally used by your service provider for
providing firmware upgrades, it could be used by an attacker
with physical access to the wire outside the building.
Resolution
Unfortunately there is no fix for many of these problems,
but the chances of successful exploitation can be reduced
by setting a password on the modem, filtering
spoofed packets at the firewall, and blocking access to
the echo service.
Where can I read more about this?
This vulnerability was reported in
CERT Advisory 2001-08.