COMMAND

    DSL routers

SYSTEMS AFFECTED

    DSL routers

PROBLEM

    Andrew R.  Siverly found  following (Kewlhair  Security Advisory).
    SBC  is  currently  deploying  the  Cayman-DSL  router  to its DSL
    customer's  (SBC  communications  being  the  parent  company  for
    Southwestern Bell, Ameritech, Pacific Bell, Nevada Bell,  Cellular
    One, and a few more).   With this deployment SBC is neglecting  to
    set passwords on the router.  Kewlhair has found over 300 of these
    non-pass worded routers.

    Telco  engineers  often  fail  to  set  passwords  on  DSL  modems
    installed  at  Customer  sites.   The  vulnerability  affects many
    different DSL modems.  The Cayman product is especially vulnerable
    because it defaults to having no Password at all.  As the  Telco's
    does  often  not  educate  the  customers,  their  modems are left
    vulnerable to intrusion and denial of service events.

    An  individual  with  malicious  intent  could easy scan for these
    devices on a DSL providers  network, connect to them, and  disable
    them without significant effort.   In addition, an intruder  could
    disable  access  to  the  device  itself  by installing a password
    (which only they would know).

    A significant vulnerability is that these devices often can be set
    with Static  routing tables  so packets  could be  sent through an
    environment  where  a  malicious  third  party  could  monitor the
    traffic.  The Demo:

        [ user@xxxx /user]# telnet xxx.xxx.xxx..xxx..
        Trying xxx.xxx.xxx.xxx...
        Connected to xxx.xxx.xxx.xxx.
        Escape character is '^]'.

        Terminal shell v1.0
        Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) plus 4-port hub
        Running GatorSurf version 5.3.0 (build R2)
        ( completed login: administrator level)

        Cayman-DSLXXXXXX>

    Evan worse case.  Someone writes a script that logs into every one
    of these routers sets the passwords, then changes the ip or  kills
    the interface so  it no longer  works properly.   Then causing and
    SBC engineer to come to the home or place of business to fix  this
    problem.

    Bret Piatt added following.  He found he was able to access:

        http://router.ip.address/<protected url>

    without  authenticating.   It  seems  some  of the <protected url>
    don't check to  see if you  are authenticated it  just assumes you
    won't know  the <protected  url> path  if you  aren't and the only
    way it assumes to get there is through the menus that will require
    authentication.

SOLUTION

    Mandate that the Telco  engineers change the default  passwords on
    the devices  at time  of install,  and provide  literature to  the
    consumer advising them of the risks of DSL (or cable)  connections
    to the Internet.

    Quick solution:	Set your password on your Cayman router:

        http://cayman.com/security.html#passwordprotect

    How to password protect the Cayman router?  Through the browser:

        1. Browse into the Cayman router.
        2. Click on the " Expert Mode" link.
        3. A second of row of links will appear.
        4. Then select the " Passwords" link.

    Through a Telnet session:

        1. First  establish a  telnet session  to the  unit or connect
           serially to the console port at 9600 Baud.
        2. At the  prompt, type "  configure" ( NOTE-all  commands are
           typed without quotes) and enter.
        3. At this point you will  be at the " top" prompt.  Then type
           "system" and enter.
        4. Now you will  be at the "  system" prompt. Here you  type,"
           set password" admin and enter.
        5. You will then be prompted for the new password and then  be
           prompted to repeat the  password. Once you have  done this,
           you will be back at the system prompt.
        6. Here you will need to repeat the process, this time for the
           user password, by doing the following steps:
        7. Type, "set password user" and enter. Again you will then be
           prompted for the new password an then be prompted to repeat
           the  password.   Once  this  is  done,  you  will be at the
           "system" prompt again.  Here type, "quit", and you will  be
           prompted, "Save modified configuration data [y|n] ?"  Type,
           "yes" and the router is now password protected.

    SBC has no plans  to upgrade the end  users to Cisco do  to price.
    The Alcatel/Cayman is clearly cheaper.  However Pactel is  install
    Cisco routers/DSL briges,  the Cisco 14xx  that they are  deployed
    currently have telnet enable on them.  The user name and  password
    are all set to PASSWORD  on them, unless the customer  changes it.
    Pactel nor any other  Bell (that is owned  by SBC) is telling  the
    customer about the password or how to change it.