Bugtraq mailing list archives
Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability
From: "Davide Del Vecchio" <dante () alighieri org>
Date: Tue, 11 Feb 2003 08:37:10 +0100
Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Discussion:
Ericsson HM220dp is a small office enviroment ADSL modem, distributed by many Carriers such as Telecom Italia to thousand users. It may be administered remotely through a number of mechanisms, including a web based interface. Unfortunately, the web interface does not require authentication and does not give the possibility to require it.Unauthorized users accessing the web pages may perform a variety of malicious actions. By the way Ericsson forced the modem in "Bridged" mode with a modified firmware, so the web administration page could not be accessed from Internet but "just" from any user of the lan. It is possible that other products of the same series share this vulnerabilty.
Solution: Ericsson has been contacted months ago but it's not still providing an updated firmware version that could prevent the problem ignoring it.
Credits:
Davide Del Vecchio would like to thank in primis his love Mara,his coworkers of the security and monitoring staff @ Banca Mediolanum.
Disclaimer:
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.^^^^^^^^
Please send suggestions, updates, and comments to: Davide Del Vecchio - dante () alighieri org / security () phx it www.alighieri.org
Current thread:
- Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Davide Del Vecchio (Feb 11)
- Re: Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Fredrik Björk (Feb 13)