Security Advisory: Netopia R9100 DSL router By: Stephen Friedl (steve@unixwiz.net) Date: 8 May 2000 Short summary: The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled. Device Summary: The Netopia R9100 is an Ethernet-to-Ethernet router intended mainly for the DSL and cable modem markets, and it supports NAT and various kinds of tunneling. It is managed with telnet, HTTP, and with SNMP from either the inside or the outside Ethernet interfaces. Product information on this device can be found at: http://www.netopia.com/equipment/routers/r9100/ One of the many setup screens permits the setting of SNMP community names, both RO and RW, and setting the entries to blanks effectively disables SNMP access. The security setup screen (which requires a separate password from that used during login) can be configured to restrict access to any of the SNMP screens. Vulnerability: The R9100 has a command-line mode that is reached by typing control-N after the user has passed the initial login test. At the "#" prompt one can then do most management of the device. This includes the setting of SNMP community strings in spite of the limitation imposed by the administrator: # set snmp community RO wookie or # set snmp community RW wookie Impact: Relatively low. The exploit can only be attempted by those with existing access login to the device, and it doesn't seem terribly common to have users allowed to manage nearly everything except the SNMP strings. Workaround: Deny access to users who can't be trusted. Versions Tested: v4.6.2 (the latest) is the only version tested. Older versions probably vulnerable also. Other similar Netopia products possibly vulnerable also Response from Netopia: The new behavior will be when SNMP access is disabled in the Security screen, and an attempt is made to configure the SNMP read-write string via the Command Line and Telnet, the user will get an error: -400 Access Denied. This fix will be in the next release of firmware, version 4.7 (approx. end of May) Steve --- Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561 3B2-kind-of-guy |I speak for me only| KA8CMY |steve@unixwiz.net