Re: KSR[T] Advisories #012: Hybrid Network's Cable Modems

[jshaw () INSYNC NET (Joe Shaw)]

It may effect all of the Hybrid product line, but it does not affect all
companies using Hybrid cablemodems.  The company I currently work for,
AccelerNet.net, uses a hybrid (no pun intended) Hybrid cablemodem system
over UHF channel 43 in Houston, TX to do wireless T1 or greater service in
the city of Houston and surrounding areas.

The nature of our system, without going into too much technical detail,
requires a wired return path for all packets from the customer since two
way UHF is currently impossible or at least difficult with the current FCC
regulations.  This wired return path is usually an ISDN router or an
analog modem plugged directly into the cablemodem.  So, we block all udp
packets on port 7777 at our exterior gateways, at the remote access
devices that the wired connections come in to, and on all hardwired
point-to-point connections to minimize the danger as much as possible of
someone using HSMP to re-configure the cablemodems.  We're now limited to
machines/people on the local network of the cablemodem, and when the
cablemodem is configured in house before it's shipped out.  So, we've
tried to make the setup as secure as possible until Hybrid allows you to
turn off HSMP/remote configuration.

If I recall correctly, a message hit the Hybrid-users lists run by Hybrid
about a program called Hybridcon back in August of this year discussing
this as a problem.

Also, while you can log and block the traffic at your firewalls, routers,
intelligent switches, etc., the Hybrid modems have no logging facilities
of their own that we've been able to pry from Hybrid or find on our own
and are fairly un-intelligent devices.  I'm using the N-201 Multi-user,
Hybrid NOS version 70734.

--
Joseph W. Shaw - jshaw () insync net
Free UNIX advocate - "I hack, therefore I am."

On Tue, 12 Oct 1999, Jon Paul, Nollmann wrote:

> At this point, I'd assume that the exploit applies to all of Hybrid's
> product line
>
> My provider spoke with Hybrid this morning, and apparently Hybrid has
> a patch for the problem that fixes it in some unspecified way.  According
> to my provider, Hybrid merely said that "only people you allow will be
> able to configure the modems" but that they made clear that remote
> configuration was still enabled.  Maybe they'll use a password (easily
> sniffable).  I think it's more likely at this point that Hybrid will
> merely check the source address (!) of the packets, and compare those
> addresses with a table configured by the provider.
>
> I'd like to believe that Hybrid will fix this in a sane way, but since
> they're remaining hush-hush about the fix, I think the chances of that
> are very slim.
>
> --
> Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
> Unsolicited commercial email will be archived at $1/byte/day.
> Dis.Org's propensity for casual violence is little different from that of
> any street gang.                                             Carolyn Meinel
>
>
> --
> Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
> Unsolicited commercial email will be archived at $1/byte/day.
> "Tis better to remain silent and be thought a fool, than to speak up and
> remove all doubt."                                        Benjamin Franklin