[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2088415061.23006.1446455822539.JavaMail.totemomail@ss002890.tauri.ch>
Date: Mon, 2 Nov 2015 09:17:00 +0000
From: <csirt@...sscom.com>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: [FD] CVE-2015-6498
###################################################################################
#
# SWISSCOM CSIRT ADVISORY - https://www.swisscom.ch/en/about/sustainability/digital-
#switzerland/security.html
#
##################################################################################
#
# CVE ID: CVE-2015-6498
# Product: Home Device Manager
# Vendor: Alcatel-Lucent
# Subject: Code vulnerability, remotely exploitable
# Finder: Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne
# Coord: Philippe Cuany (csirt _at_ swisscom.com)
# Date: Nov 02nd 2015
#
##################################################################################
Description
-----------
A vulnerability has been discovered in the TR069 protocol that can potentially
affect all Automatic Configuration Servers (ACS). The issue has been fixed in
the Home Device Manager (HDM) product from Alcatel-Lucent with an anti-spoofing
filter. HDM allows service providers to remotely manage CPEs, such as
residential gateways, IP set-top boxes, and VoIP terminal adapters that comprise
a home networking environment.
Product
-------
Alcatel-Lucent Home Device Manager, version prior to 4.1.10 may be affected if
they have no filtering in place, which was provided as a customer specific
extension already by Alcatel-Lucent, or have foreseen other additional
authorization checks.
Vulnerability
-------------
The vulnerability allows an attacker to perform impersonation attacks by
spoofing CPE using tr-069 (cwmp) Protocol. An attacker could gain unauthorized
access to third-party SIP Credentials for the spoofed device and perform illegal
activities (phone fraud). The vulnerability has been tested and confirmed.
Remediation
-----------
Update to Home Device Manager Version 4.1.10 (or higher) or 4.2.2 (or higher)
and activate the anti-spoofing filters, in case there is not already a customer
specific filter or authorization check in place.
Acknowledgments
---------------
Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne for the discovery and
notification about the vulnerability.
Milestones
----------
Jul 13th 2015 Details about the vulnerability are communicated to Swisscom
Jul 14th 2015 HDM anti-spoffing filter available
Aug 13th 2015 CVE ID requested at MITRE
Aug 18th 2015 CVE ID 2015-6498 assigned by MITRE
Nov 02nd 2015 Public Release of Advisory
Download attachment "smime.p7s" of type "application/pkcs7-signature" (5268 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists