Barricade Broadband Routers default settings allows attacker to gain access
|barricade-router-gain-access (15993)||High Risk|
Barricade Cable/DSL Broadband Router (SMC7004VBR) and Barricade/Broadband Router (SMC7008ABR) could allow a remote attacker to gain access to the router. If the default installation is followed using the setup wizard and only factory defaults are set, remote administration is enabled by default on port 1900. A remote attacker could access the router's external IP address using port 1900 and login to gain access to the router.
NFor SMC7004VBR version 1:
Upgrade to the latest firmware (1.41.008 or later), available from the SMC Networks Inc Product Download Web page. See References.
For SMC7008ABR version 2:
Upgrade to the latest firmware (1.232 or later), available from the SMC Networks Inc Product Download Web page. See References.
As a workaround, go to Advanced Setup and enable the router's firewall or forward port 1900 of the router to a non-existent internal IP address.
- BugTraq Mailing List, Sat Jun 05 2004 - 19:35:58 CDT: SMC 7008ABRv2 and 7004VBRv1 updated firmware corrects port 1900 issue..
- Full-Disclosure Mailing List, Tue Apr 27 2004 - 16:34:31 CDT: SMC Routers have remote administration enabled by default.
- SMC Networks Inc Product Download Web page: SMC Networks | Consumer Site : Support : Product Downloads : Routers.
- SMC Networks Web site: SMC Networks | Consumer Site : Products : Routers.
- BID-10232: SMC Broadband Routers 7008ABR and 7004VBR Unauthorized Access Vulnerability
- CVE-2004-1976: SMC Barricade broadband router 7008ABR and 7004VBR enable remote administration by default, which allows remote attackers to gain access by connecting to port 1900.
- OSVDB ID: 16901: Barricade SMC700* Unauthenticated Remote Admin Access
- SMC Barricade Broadband Router SMC7004VBR 1.0
- SMC Barricade Broadband Router SMC7008ABR
Apr 27, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this