COMMAND

    Netopia R9100

SYSTEMS AFFECTED

    Netopia R9100 router

PROBLEM

    Stephen Friedl found following.  The Netopia R9100 permits a  user
    not authorized  with a  special security  password to  neverthless
    modify the SNMP community strings, including enabling SNMP  access
    that should be disabled.

    The  Netopia  R9100  is  an  Ethernet-to-Ethernet  router intended
    mainly for the  DSL and cable  modem markets, and  it supports NAT
    and various kinds of tunneling.  It is managed with telnet,  HTTP,
    and  with  SNMP  from  either  the  inside or the outside Ethernet
    interfaces.  Product information on this device can be found at:

        http://www.netopia.com/equipment/routers/r9100/

    One  of  the  many  setup  screens  permits  the  setting  of SNMP
    community  names,  both  RO  and  RW,  and  setting the entries to
    blanks  effectively  disables  SNMP  access.   The  security setup
    screen (which requires a  separate password from that  used during
    login) can  be configured  to restrict  access to  any of the SNMP
    screens.

    The  R9100  has  a  command-line  mode  that  is reached by typing
    control-N  after  the  user  has  passed  the  initial login test.
    At the "#" prompt one can  then do most management of the  device.
    This  includes  the  setting  of  SNMP  community strings in spite
    of the limitation imposed by the administrator:

        # set snmp community RO wookie

    or

        # set snmp community RW wookie

    The exploit can  only be attempted  by those with  existing access
    login to the device, and  it doesn't seem terribly common  to have
    users allowed to manage nearly everything except the SNMP strings.

    Versions tested: v4.6.2 (the  latest) is the only  version tested.
    Older versions  probably vulnerable  also.   Other similar Netopia
    products  possibly  vulnerable  also.   Same  results with Netopia
    R3100-T router at  v4.6 with the  same results.   Same also on  an
    R-7100 running <4.6.3 firmware.

SOLUTION

    Deny access to users who can't be trusted.  The new behavior  will
    be when  SNMP access  is disabled  in the  Security screen, and an
    attempt is made  to configure the  SNMP read-write string  via the
    Command Line and Telnet, the  user will get an error:  -400 Access
    Denied.   This  fix  will  be  in  the  next  release of firmware,
    version 4.7 (approx. end of May).

    Also, this has been fixed in version 4.6.3.  It was put up on  the
    website.  Follow the links from

        http://www.netopia.com/equipment/purchase/fmw_update.html