I told dlink about this problem last year Sepember. They told they will release a fix I have not see a fix. It looks like dlink will not be doing any thing about this problem. In futher I will post here as well. Thanks Malkit Singh > > From: Arhont Information Security <infosec@arhont.com> > Date: 2003/03/27 Thu PM 03:31:41 GMT > To: bugtraq@securityfocus.com > Subject: SNMP security issues in D-Link DSL Broadband Modem/Router > > > > Arhont Ltd - Information Security Company > > > > Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com) > > Advisory: D-Link DSL Broadband Modem/Router > > Router Model Name: D-Link DSL-500 > > Model Specific: Other models might be vulnerable as well > > Manufacturer site: http://www.dlink.com > > Manufacturer contact (UK): Tel: 0800 9175063 / 0845 > > 0800288 > > Contact Date: 06/03/2003 > > > > DETAILS: > > > > While performing a general security testing of a > > network, we have found several security vulnerability > > issues with the D-Link DSL Broadband Modem DSL-500 > > > > Issue 1: > > The default router installation enables SNMP (Simple > > Network Management Protocol) server with default > > community names for read and read/write access. The > > DSL-500 modem is configured alow SNMP access from the > > WAN (Wide Area Network)/Internet side as well as from LAN. > > > > andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c > > public 192.168.0.1 -v 1 > > sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30 > > Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk > > Copyright (c) 2000 Dlink Corp. > > sysObjectID.0 = OID: enterprises.171.10.30.1 > > sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47 > > ... > > ... > > > > The community name: public > > > > allows read access to the mentioned devices, allowing > > enumeration and gathering of sensitive network > > information. > > > > The community name: private > > > > allows read/write access to devices, thus allowing > > change of the network settings of the broadband modem. > > > > Impact: This vulnerability allows local and internet > > malicious attackers to retrieve and change network > > settings of the modem. > > > > Risk Factor: Medium/High > > > > Possible Solutions: Firewall UDP port 161 from LAN/WAN > > sides, as it is not possible to disable SNMP service > > from the web management interface. > > > > Issue 2: > > The ISP account information including login name and > > password is stored on the modem without encryption, It > > is therefore possible to retrieve this information with > > simple SNMP gathering utility such as snmpwalk: > > > > andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c > > public 192.168.0.1 -v 1 > > sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30 > > Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk > > ... > > ... > > ... > > transmission.23.2.3.1.5.2.1 = STRING: > > "username@dsl-provider" > > ... > > ... > > transmission.23.2.3.1.6.2.1 = STRING: "password-string" > > ... > > ... > > ... > > > > Impact: This vulnerability allows LAN and internet > > malicious attackers to retrieve confidential information. > > > > Risk Factor: Very High > > > > Possible Solutions: As a temporary solution you should > > firewall UDP port 161 from LAN/WAN sides, as it is not > > possible to disable SNMP service from the web > > management interface. > > > > According to the Arhont Ltd. policy, all of the found > > vulnerabilities and security issues will be reported to > > the manufacturer 7 days before releasing them to the > > public domains (such as CERT and BUGTRAQ), unless > > specifically requested by the manufacturer. > > > > If you would like to get more information about this > > issue, please do not hesitate to contact Arhont team at > > infosec@arhont.com. > > > > > > Kind Regards, > > > > Andrei Mikhailovsky > > Arhont Ltd > > http://www.arhont.com > > GnuPG Keyserver: blackhole.pca.dfn.de > > GnuPG Key: 0xFF67A4F4 > >
