SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Efficient Networks Router Vendors:   Efficient Networks
(Vendor Describes Fixes) Re: Efficient Networks 5861 DSL Router Processing Bug Lets Remote Users Crash the Router
SecurityTracker Alert ID:  1005980
SecurityTracker URL:  http://securitytracker.com/id/1005980
CVE Reference:   CVE-2003-1250   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Jan 24 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Efficient Networks 5861 DSL Router. A remote user can cause the router to crash and restart when the router is using a certain configuration.

It is reported that when the router is configured to use IP filtering to block incoming TCP SYN flags, a remote user can conduct a portscan on the WAN interface to cause the router to crash and restart.

The vendor has reportedly been notified.

Impact:   A remote user can cause the device to crash and restart.
Solution:   The vendor has described three solution alternatives to avoid the denial of service situation:

1. Remove the filter rule that specifically drops packets with the TCP SYN flag set.

2. Turn off console logging of dropped packets. Note: If you require logging to be on then you must increase the console baud rate.

3. Increase the console baud rate to 57600.

Each of these alternatives is described in detail in the Source Message.

Vendor URL:  www.efficient.com/ebz/5800.html (Links to External Site)
Cause:   Exception handling error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Jan 10 2003 Efficient Networks 5861 DSL Router Processing Bug Lets Remote Users Crash the Router



 Source Message Contents

Subject:  5861 IP Filtering issues




Product:		Efficient Networks 5861 DSL Router
		http://www.efficient.com/ebz/5800.html
Tested version:	5.3.80 (Latest firmware)
Advisory date:	10/01/2003
Severity:		Moderate


Details

When using the built in IP filtering to block incoming TCP SYN flags, a
simple port scan to the WAN interface of the router will cause it to lock 
up, and eventually restart.

This has been tested on two different 5861 routers, both running the above 
firmware version.

Port scanners used were Nmap (Linux) and SuperScan (Windows)

Solution:


There are three possible solutions to this exploit.  Any one of these 
solutions can be implemented to avoid the exploit: 
1.	Remove the filter rule that specifically drops packets with the 
TCP SYN flag set. 
2.	Turn off console logging of dropped packets.
Note: If you require logging to be on then you must increase the console 
baud rate.  
3.	Increase the console baud rate to 57600. 

How to implement the above solutions:
Remove the filter rule that specifically drops packets with the TCP SYN 
flag set
This will not alter your security settings since the SYN flag will be 
caught by the global drop rule at the end of the script.
remote ipfilter flush 0 input internet (flush zero).
Alternate command:
remote ipfilter delete input drop -p tcp -tcp syn internet
substitute the correct name.  To determine what the remote profile name 
for the correct name.
Turn off console logging of dropped packets
Note: This is highly recommended if you are not actively monitoring your 
firewall activity.
remote ipfilter watch off internet
Increase the console baud rate to 57600. 
If you are actively monitoring your firewall, you can leave the above 
filters and logging in place, and still avoid the exploit  by increasing 
the baud rate of the console interface.  
Note: Remember that your terminal software setting must match this baud 
rate after making this change on the router.
1.	Cut the end off an old Ethernet cable
2.	strip the wires back and twist all of the bare wires of the cable 
together.
3.	Plug the unmodified cable end into the console port on the router.
4.	Power cycle the router.
5.	Wait about one minute for the router to complete its boot-up.
6.	Remove the modified cable end, and connect a standard Ethernet 
straight cable to the console port. Connect the other end of the Ethernet 
cable to the RJ45 to DB9 adapter provided with your router. Connect the 
adapter to the DB9 serial interface on your computer.
7.	Open up Hyper-terminal or any other terminal emulator program, and 
configure it as follows.
Direct to com1 (or com2, or com3, or com4 depending on which one your 
computer recognizes)



8.	The boot menu looks like this:
1. Retry start-up
2. Boot from Flash memory
3.  Boot from network
4. Boot from specific file
5. Configure boot system
6. Set date and time
7. Set console baud rate
8. Start extended diagnostics
9. Reboot

Enter selection: 7
Desired baud rate [9600]: 57600
Do you want the change to 57600 to take effect now ? [Y] y


- Select option 7
- Enter the desired baud rate of 57600
- Indicate Yes for the change to take effect immediately
your terminal emulator software to the same setting before you try to 
connect again.

Additional Comments:
The default firewall scripts that are contained on the router can be 
edited to meet your specific security needs.  It is strongly recommended 
that you familiarize yourself with the specifics of the level of security 
that you have chosen from the Web interface.
To edit the default script files:
Example: http://192.168.254.254/tools/editor.html
You can now edit the contents of the file in the editor window.
# remote ipfilter append input drop -p tcp -tcp syn internet 
This will remove the filter rule the next time that the minimum firewall 
setting is chosen from the firewall settings page.
the next time that the minimum firewall setting is chosen from the 
firewall settings page.
edits.
6.	Repeat the above steps for all three default filter files:
- minsec.txt
- medsec.txt
- maxsec.txt


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC