BugTraq
Back to list
|
Post reply
Re: Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability
Feb 14 2003 08:27AM
John Jørgensen (john safe2day dk)
In-Reply-To: <5.1.1.5.0.20030213100935.02108210 (at) mail.varberg (dot) se [email concealed]>
> Not according to my contacts at Ericsson. The vulnerability is limited
to
> one batch of 6000 modems delivered to the Italian market, which is bad
> enough! The entire 220 series was discontinued in 2001.
It may be that 220 series was discontinued in 2001, but according to a
former pressrelease Ericsson did in fact deliver more than 200.000 modems
(HM220dp og HM120dp) to Telecom Italia ,-
http://www.ericsson.com/about/publications/contact/arc/cont11_01/brief.s
htm
l
Additionally the hm220,- in bridged mode though, has been distributed by a
telco in Denmark until recently (3 months ago).
However and as previously mentioned by Davide Del Vecchio, when operated
in "Bridged mode" which is the primary option for the traditional Telecom
operators, who have bought the lion share of all units shipped, users are
not affected.
Further, the security issue is not possible to cause from the WAN side of
the modem and require manipulation of user devices on the LAN side in
order to occur, as mentioned by Davide Del Vecchio.
As such the impact on end-user is narrowed down to a temporary disturbance
to their DSL service and it can easily be solved by doing a factory reset
of the modem, according to the process described in the manual.
> >Solution:
> >Ericsson has been contacted months ago but it's not still providing an
> >updated firmware version that could prevent the problem ignoring it.
As the vulnerability only affect operation in "Routed Mode", I can inform
that Ericsson within shortly will develop a new firmware release for the
end-users operating the device in Routed mode and it goes without saying
that this new firmware version will eliminate the problem permanently for
any mode of operation.
Regards
John Joergensen
Safe2day.dk
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
> Not according to my contacts at Ericsson. The vulnerability is limited
to
> one batch of 6000 modems delivered to the Italian market, which is bad
> enough! The entire 220 series was discontinued in 2001.
It may be that 220 series was discontinued in 2001, but according to a
former pressrelease Ericsson did in fact deliver more than 200.000 modems
(HM220dp og HM120dp) to Telecom Italia ,-
http://www.ericsson.com/about/publications/contact/arc/cont11_01/brief.s
htm
l
Additionally the hm220,- in bridged mode though, has been distributed by a
telco in Denmark until recently (3 months ago).
However and as previously mentioned by Davide Del Vecchio, when operated
in "Bridged mode" which is the primary option for the traditional Telecom
operators, who have bought the lion share of all units shipped, users are
not affected.
Further, the security issue is not possible to cause from the WAN side of
the modem and require manipulation of user devices on the LAN side in
order to occur, as mentioned by Davide Del Vecchio.
As such the impact on end-user is narrowed down to a temporary disturbance
to their DSL service and it can easily be solved by doing a factory reset
of the modem, according to the process described in the manual.
> >Solution:
> >Ericsson has been contacted months ago but it's not still providing an
> >updated firmware version that could prevent the problem ignoring it.
As the vulnerability only affect operation in "Routed Mode", I can inform
that Ericsson within shortly will develop a new firmware release for the
end-users operating the device in Routed mode and it goes without saying
that this new firmware version will eliminate the problem permanently for
any mode of operation.
Regards
John Joergensen
Safe2day.dk
[ reply ]