Vulnerability

    BreezeCom

Affected

    BreezeCom

Description

    Stefan Laudat found following.   A deeper look into the  BreezeCom
    equipment can be done with a standard Motorola CPU32 BDM interface
    (like not-so-older  motorola GSM  phones, the  pre ARM7TDMI models
    such as  cd930 blah  blah).   This allows  a 'live' breakpoint and
    memory  analysis  (like  other  CPU32  systems the flash is mapped
    contiguously with the  RAM.  Stefan  could not identify  the debug
    port pinout (you may notice it on the PCB).

    There are some interesting things too... (tested with 4.4.x  incl,
    they may not work with 5.x):

    - The 'private'  SNMP community is  r/w without any  protection...
      so you may disable the  ethernet port on access points,  station
      adapters or wireless bridges.  The recovery procedure is  pretty
      nasty but thanks to the BreezeCom support team you can re-enable
      it.   It is  confirmed that  is no  longer working  with 5.x but
      older hardware does not support  it.  Of course, there  are many
      other things you can do with snmp and a BreezeCom.

    - The  access to  the TFTP  server is  unfiltered.   If you  don't
      protect your  modems with  some kind  of ip  filtering there are
      easy ways to tftp  -you victim.modem.ip.address put erase  erase
      then wait for a reboot - this means the flash has to be  changed
      after  that  etc.   A  good  idea  would  be something like file
      transfer  acknowledge  only  from  directly  connected hosts but
      since  the  software  does  not   support  more  than  one   arp
      association it is almost impossible.

Solution

    The morale  should be  something like:  do not  use "routable"  ip
    addresses and filter the snmp and tftp access.