|
Vulnerability Netopia R9100 Affected Netopia R9100 router Description Stephen Friedl found following. The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled. The Netopia R9100 is an Ethernet-to-Ethernet router intended mainly for the DSL and cable modem markets, and it supports NAT and various kinds of tunneling. It is managed with telnet, HTTP, and with SNMP from either the inside or the outside Ethernet interfaces. Product information on this device can be found at: http://www.netopia.com/equipment/routers/r9100/ One of the many setup screens permits the setting of SNMP community names, both RO and RW, and setting the entries to blanks effectively disables SNMP access. The security setup screen (which requires a separate password from that used during login) can be configured to restrict access to any of the SNMP screens. The R9100 has a command-line mode that is reached by typing control-N after the user has passed the initial login test. At the "#" prompt one can then do most management of the device. This includes the setting of SNMP community strings in spite of the limitation imposed by the administrator: # set snmp community RO wookie or # set snmp community RW wookie The exploit can only be attempted by those with existing access login to the device, and it doesn't seem terribly common to have users allowed to manage nearly everything except the SNMP strings. Versions tested: v4.6.2 (the latest) is the only version tested. Older versions probably vulnerable also. Other similar Netopia products possibly vulnerable also. Same results with Netopia R3100-T router at v4.6 with the same results. Same also on an R-7100 running <4.6.3 firmware. Solution Deny access to users who can't be trusted. The new behavior will be when SNMP access is disabled in the Security screen, and an attempt is made to configure the SNMP read-write string via the Command Line and Telnet, the user will get an error: -400 Access Denied. This fix will be in the next release of firmware, version 4.7 (approx. end of May). Also, this has been fixed in version 4.6.3. It was put up on the website. Follow the links from http://www.netopia.com/equipment/purchase/fmw_update.html