Alcatel Speed Touch Pro ADSL Insecure Embedded TFTP Server Vulnerability

The Alcatel Speed Touch family of ADSL-Ethernet router/bridge products exhibit several serious security flaws.

Certain Alcatel ADSL-Ethernet bridge products feature an embedded TFTP server which can be used by remote users to make changes to configuration and firmware.

Normally, the TFTP service in such a device would not be accessible from the WAN.

In this case, however, the interface is available to both extranet users and attackers local to the copper loop on which the DSL connection is carried.

Since TFTP provides no support for user authentication, this leaves the device's admin interface and firmware upload feature completely open to any attacker.

Moreover, user-supplied firmware code transferred to the router/bridge is not checked for authenticity, and an attacker may exploit the open TFTP interface to install malicious code on the device.

No method is available for disabling the vulnerable TFTP service.

*** NOTE: Shortly after this advisory was published, the vendor, Alcatel, posted their response to the reported vulnerabilities in their modems.

In addition to providing general mitigating strategies designed to lessen the impact of these isses (such as firewall software and/or a dedicated firewall device or the Alcatel Speed Touch modem with Firewall capabilities), the vendor response indicates that only the Speed Touch Pro is vulnerable to remote changes to firmware code and configuration settings, and that this model can be made secure from such interference by the activation of an inbuilt security feature disabling remote access from the WAN/DSL interface. Therefore, while the discoverer's initial advisory states that the entire family of devices may be vulnerable, the vendor limits the scope of this vulnerability to a single, misconfigured model of the Speed Touch line.

This discussion will be updated regularly as further details and clarification emerge.


Privacy Statement
Copyright 2010, SecurityFocus