Further problems with Arescom NetDSL-800 MSN Firmware version 5.4.x and up

[Justin Cervero <Scorpion_1169 () msn com>]

BACKGROUND

The Arescom NetDSL-800 router is the current choice for MSN’s DSL service 
as well as several other large DSL providers.  Previous issues regarding a 
telnet DoS and an authentication vulnerability have been addressed through 
firmware updates.  The authentication vulnerability was solved by adding a 
username and password to prevent unauthorized access.

In the case of MSN, the modem/router is shipped with preconfigured 
settings, including a unique username and password that differs from the 
DSL account name and password. These are meant to be unknown to the user.  
The newest firmware (v5.5.11) also limits access to the configuration area 
to WAN traffic only.

THE PROBLEM

This issue pertains specifically to the latest version of the MSN 
provided/required firmware.  Each ISP provides a different version and 
others may or may not be affected.

Utilizing a packet sniffer and the NetDSL Remote Manager provided by 
Arescom, a remote user may obtain the modem’s username and password and 
gain access to the configuration menus.

THE VULNERABILITY

Given access to the username and password similar vulnerabilities that 
existed with a previously known issue again presents itself.  It is 
possible to completely disable the modem and prevent further access to the 
configuration menus, essentially making the modem completely 
inaccessible.  Further analyses of the packets generated during access and 
manipulation of the configuration could lead to an executable or script 
that could transmit configuration packets that would disable every modem 
it encountered.  If a malicious user were to disable a large enough number 
of the modems at once while also removing the ability to reactivate them, 
even an ISP with the resources of MSN would not be able to handle the 
volume of tech support calls and service requests that would be generated.

THE SOLUTION

The one known solution is not recommended due to the fact that while it 
will prevent a malicious user from accessing the configuration menus, it 
will also prevent an authorized user from accessing them as well.  The 
configuration menus are accessed through port 9833.  By forcing the modem 
to forward all 9833 requests to an unused local IP address access to the 
configuration screen can be removed.  However, due to the fact that the 
latest version of the firmware effectively ignores local requests to 9833, 
the user becomes completely locked out of the configuration menus.

Earlier firmware versions had an option that allowed local traffic to 
access the configuration.  It has been suggested that downgrading to the 
older versions of the firmware and then implementing the above solution 
would be the best compromise.  There are five previous versions of the 
firmware available.  Unfortunately, while the configuration menus provide 
a tool for upgrading the firmware, for unknown reasons the modem does not 
accept previous versions.

Long term solutions to be implemented in firmware should involve the 
removal of remote configuration access.  Allowing only local access would 
be much more secure while still allowing easy and robust configuration.


Submitted to the best of my ability,
Justin Cervero

A large amount of credit to JacobNero on the DSLReports.com forums for 
research and insight into this issue.