Bugtraq mailing list archives
Re: Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability
From: Fredrik Björk <Fredrik.Bjork.List () varbergenergi se>
Date: Thu, 13 Feb 2003 10:17:28 +0100
At 08:37 2003-02-11 +0100, you wrote:
Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Discussion: Ericsson HM220dp is a small office enviroment ADSL modem, distributed by many Carriers such as Telecom Italia to thousand users. It may be administered remotely through a number of mechanisms, including a web based interface. Unfortunately, the web interface does not require authentication and does not give the possibility to require it.Unauthorized users accessing the web pages may perform a variety of malicious actions. By the way Ericsson forced the modem in "Bridged" mode with a modified firmware, so the web administration page could not be accessed from Internet but "just" from any user of the lan. It is possible that other products of the same series share this vulnerabilty.
Not according to my contacts at Ericsson. The vulnerability is limited to one batch of 6000 modems delivered to the Italian market, which is bad enough! The entire 220 series was discontinued in 2001.
Solution:Ericsson has been contacted months ago but it's not still providing an updated firmware version that could prevent the problem ignoring it.
If Ericsson is completely ignoring this issue, it is not good! However, it seems that they have provided an upgrade to limit unauthenticated access to the LAN side of the modem, which could be considered an acceptable solution.
/Fredrik
Current thread:
- Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Davide Del Vecchio (Feb 11)
- Re: Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Fredrik Björk (Feb 13)