COMMAND

    BinTec

SYSTEMS AFFECTED

    BinTec BinTec X1000, X1200, X4000 Access Router

PROBLEM

    Jan Muenther found  following.  BinTec  X4000 locks up  after nmap
    -sS  portscan.   The  BinTec  X4000  is a mid-sized multi-purpose,
    multi-protocol router meant  to fit the  needs of small  to medium
    companies.  Unfortunately, it has a bit of a problem.

    A simple nmap SYN scan (nmap  -sS) will cause the machine to  lock
    up completely.  It can neither be accessed through LAN nor through
    a  serial  connection  or  the  built  in,  LCD-display-based  MMI
    (man-machine-interface).  The only way of getting it back to  life
    is to pull the plug and put it back in.

    As far as we know,  every firmware version has the  vulnerability,
    though we only verified this with 5.1.6 Patch 10 of the  bootimage
    and logicware 1.05.  Jan used nmap 2.53.

    According  to  Stephan  Holtwisch  Bintec  has  some  other stupid
    "habits" as well.  If you send lots of small UDP packets over  the
    Link (a  customer did  this with  a stub  resolver), it constantly
    had 5-10 % packet loss.   You will find this kind of  behaviour in
    various Firmwares concerning NAT, IP Accounting etc.

    Further examination  of the  phenomenon at  BinTec has  shown that
    sending a SYN  flagged TCP packet  to port 1723  (pptp) will cause
    the  machine  to  behave  in  the  described way.  The pptp daemon
    should be activated only when the software license key is  entered
    and it can process incoming packets adequately.  However, it isnt.
    When the 'dormant' pptpd receives a SYN packet and cannot  process
    it, the  daemon claims  100% CPU  usage and  the machine locks up.
    This, of course, happens when  a SYN portscan against the  machine
    is issued and port  1723 gets hit -  you can also easily  check it
    with  'telnet  my.machines.ip  1723'  or  your  favourite   packet
    injector.

    Johnny Cyberpunk noticed that problem first in december 2000  with
    bintec x1200  routers.   Bios 5.1  has the  problem to  reboot the
    router after nmap  scan.  New  versions halt the  complete system.
    to get it work again, you have to switch the power button on/off.

SOLUTION

    Systems with the following properties are *NOT* affected:
    - VPN license activated
    - port 1723/tcp blocked for all interfaces

    BinTec recommends that  you block all  unused ports and  update to
    the latest system software.  In any case, port 1723/tcp should  be
    closed for all interfaces on systems without VPN license.  You can
    block the ports either by using the access lists of the router  or
    by activating NAT.

    This problem will be solved with the next system software release.