COMMAND

    CableRouters

SYSTEMS AFFECTED

    Motorola CableRouters

PROBLEM

    'January' found following  security hole in  Motorola CableRouters
    that  allows  administrative  access.   Motorola  produces   cable
    devices that  cable companies  use to  provide internet  access to
    subscribers. The customer equipment  is a CableModem, a  white box
    with a cable line in one side and an ethernet line out the  other.
    The equipment used  in the cable  company's facility (headend)  is
    called a CableRouter.  It is used to connect the subscribers  from
    the hybrid fiber coax (HFC) cable plant to the Internet via a fast
    ethernet, FDDI, or  ATM network. It  is possible to  configure the
    CableRouter via Telnet/FTP and via SNMP.

    Under normal use, the CableRouter can be configured via Telnet/FTP
    from  a  list  of  three  "trusted"  hosts,  or  Telnet/FTP may be
    alltogether  disabled  when  it  is  deemed unnecessary (the cable
    company is doing out-of-band management on another interface,  for
    example).   However, a  serious vulnerability  has been identified
    that  will  allow  ANY  host  to  connect,  regardless  of whether
    Telnet/FTP is disabled or not.

    This  vulnerability   exists  in   all  known   releases  of   the
    CableRouter's software. The CableRouter leaves an open telnet port
    at port 1024.   This port is  always open, and  does not obey  any
    access  list  of  "trusted  IP's."   Furthermore,  the CableRouter
    performs absolutely NO  logging of connections  - you can  connect
    and never be seen.

    If you are a CableModem subscriber, you cannot directly connect to
    the CableRouter you are connected to. But you can from the outside
    world. For example:

        $ telnet xxx.xxx.xxx.xxx 23 (try connecting on the normal telnet port)
        Trying xxx.xxx.xxx.xxx...
        telnet: Unable to connect to remote host: Connection refused
        $ telnet xxx.xxx.xxx.xxx 1024 (try connecting to the vulnerable port)
        Trying xxx.xxx.xxx.xxx...
        Connected to xxx.xxx.xxx.xxx.
        Escape character is '^['.
        (press enter)
        Login:
        Password:
        Invalid name.

    On Motorola CableRouters, the default login is 'cablecom' (without
    the quotes)  and the  default password  is 'router'.   Many  cable
    companies never change this,  assuming that only the  trusted IP's
    can connect.  Furthermore, Motorola has announced that there is  a
    memory leak  in the  telnet process  of their  CableRouter. If you
    telnet to it enough, the router will eventually run out of  memory
    and crash.

SOLUTION

    There is no known fix for  this other than to filter port  1024 on
    the core/border router connected to the CableRouter.  To  compound
    the problem,  Motorola is  quite aware  of this  vulnerability but
    does  not  inform  their  customers,  believing  that  it is "too"
    sensitive.  Their  official statement to  customers has been  that
    there are no  undocumented issues in  the latest release  of their
    software.   So  many  cable  companies  have  vulnerable   systems
    supporting thousands of subscribers.