6th Apr 2003 [SBWID-6114]
COMMAND
D-Link Broadband Modem/Router
SYSTEMS AFFECTED
D-Link DSL-300G/DSL-300G+
PROBLEM
Andrei Mikhailovsky of Arhont Information Security [www.arhont.com]
says :
While performing a general security testing of a network, we have found
several security vulnerability issues with the D-Link DSL Broadband
Modems models: DSL-300G and DSL-300G+. This issue is similar to the one
found in D-link DSL-500 modem/router
(http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0).
Issue 1:
========
The default router installation enables SNMP (Simple Network Management
Protocol) server with default community names for read and read/write
access. The models DSL-300G and DSL-300G+ only allow SNMP access from
the LAN (Local Area Network) side.
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01
...
...
The community name: public
allows read access to the mentioned devices, allowing enumeration and
gathering of sensitive network information.
The community name: private
allows read/write access to devices, thus allowing change of the
network settings of the broadband modem.
Impact: This vulnerability allows local malicious attackers to retrieve
and change network settings of the modem.
Issue2:
=======
Default remote administration access password via telnet can not be
changed during the setup via web interface. Even after configuring the
modem in web interface and changing default password, malicious
attackers can access the unit with telnet and default administrator
password "private".
Issue 3:
========
The ISP account information including login name and password is stored
on the modem without encryption, It is therefore possible to retrieve
this information with simple SNMP gathering utility such as snmpwalk:
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
...
...
...
transmission.23.2.3.1.5.2.1 = STRING:
"username@dsl-provider"
...
...
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
...
...
...
Impact: This vulnerability allows LAN malicious attackers to retrieve
confidential information.
SOLUTION
Possible Solutions:
1. Firewall UDP port 161 from LAN/WAN sides, as it is not possible to
disable SNMP service from the web management interface.
2. You can change or disable snmp default settings by connecting to the
modem/router using telnet with password string: "private". (This
solution has been pointed out by Snowy Maslov
<[email protected]>)
3. Manually change the default password via telnet and reboot the
modem.
4. As a temporary solution you should firewall UDP port 161 from LAN
sides, as it is not possible to disable SNMP service from the web
management interface.