Vulnerability

    Cable-Router AR220e

Affected

    Cable-Router AR220e

Description

    Axel Hammer found following.   Allied Telesyn AT-AR220e,  Firmware
    1.08a RC14, combined DSL/Cable-Router, NAT, Firewall, HTML-Config.
    This Device is equipped with the function 'Virtual Server',  which
    is a portmapper  WAN -> LAN.   The 'Virtual  Server'-functionality
    can be disabled completely and single portmappings can be disabled
    each, too.

    If a portmapping is set-up, e.g.

        Status; Global Port; Internal Port; Internal IP; Protocol
        disabled; 80; 80; 192.168.0.1; TCP

    AND the Virtual-Server-Feature is  enabled, there is no  check for
    the enabled/disabled  setup of  each of  the single  portmappings.
    They still remain active.

    It is  possible to  gain access  to mapped  services, which may be
    left unsecured.

Solution

    Unused mappings should  be deleted from  the list-of-portmappings.
    If there are no  used mappings at all,  the Virtual-Server-feature
    should be disabled.