ISS X-Force Database: alcatel-tftp-lan-access(6336): Alcatel ADSL modems allow attacker on LAN to gain access using TFTP

Alcatel ADSL modems allow attacker on LAN to gain access using TFTP

alcatel-tftp-lan-access (6336)

High Risk

Description:

Alcatel Asymmetric Digital Subscriber Line (ADSL) modems could allow an attacker to access the modem�s configuration file using the Trivial File Transfer Protocol (TFTP). By default, the ADSL modems are shipped with a TFTP server. The TFTP server does not require authentication. This allows an attacker on the local area network (LAN) to access the modem�s configuration file and obtain or modify sensitive information stored in the configuration file, such as the password or firmware using TFTP. A remote attacker could exploit this vulnerability if UDP echo service is enabled on the modem. The remote attacker could send spoofed packets from TFTP port 69 to the UDP echo service and "bounce" UDP packets off systems on the local area network in order to gain TFTP access on the modem.

Consequences:

Gain Access

Remedy:

If you have a firewall, you may be able to prevent the TFTP UDP bounce attack by filtering the following packet types:

Packets with spoofed source addresses
Packets with a source address of 255.255.255.255
Packets with a destination port of echo (or other "simple" services)

References:

Alcatel Web Site: Speed Touch.
Alcatel Web Site: ALCATEL SPEED TOUCH ADSL MODEM SECURITY INFORMATION.
BugTraq Mailing List, Tue Apr 10 2001 - 02:33:22 CDT: multiple vulnerabilities in Alcatel Speed Touch DSL modems.
CERT Advisory CA-2001-08: Multiple Vulnerabilities in Alcatel ADSL Modems.
San Diego Supercomputer Center NPACI -- UC San Diego Web site: SDSC's Self-Help Guide to the Alcatel Speed Touch Home ADSL modem..
San Diego Supercomputer Center Security Advisory: Multiple Vulnerabilities in Alcatel ADSL-Ethernet Bridge devices.
BID-2566: Alcatel Speed Touch Pro ADSL Insecure Embedded TFTP Server Vulnerability
CVE-2001-1426: Alcatel Speed Touch running firmware KHDSAA.108 and KHDSAA.132 through KHDSAA.134 has a TFTP server running without a password, which allows remote attackers to change firmware versions or the device's configurations.
CVE-2001-1484: Alcatel ADSL modems allow remote attackers to access the Trivial File Transfer Protocol (TFTP) to modify firmware and configuration via a bounce attack from a system on the local area network (LAN) side, which is allowed to access TFTP without authentication.
US-CERT VU#211736: Alcatel ADSL modems grant unauthenticated TFTP access via Bounce Attacks
US-CERT VU#490344: Alcatel ADSL modems provide unauthenticated TFTP access via physical WAN interface

Platforms Affected:

Alcatel ADSL Network Termination Device 1000
Alcatel Speed Touch ADSL modem

Reported:

Apr 10, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page