Inteno router CWMP Certificate Validation Vulnerability ======================================================= The latest version of this advisory is available at: https://sintonen.fi/advisories/inteno-cwmp-certificate-validation-vulnerability.txt Overview -------- Multiple Inteno router models do not validate the Auto Configuration Server (ACS) certificate (CWE-295). The vulnerability can be exploited to gain full administrative access to the device. Description ----------- Several Inteno routers do not validate the Auto Configuration Server (ACS) certificate (CWE-295). An attacker in a privileged network position can Man-in-the-Middle the connection between the device and the Auto Configuration Server (ACS). If ACS has been preconfigured by the ISP (this is usually the case) no user actions are required for exploitation. Impact ------ The attacker who can intercept the network traffic between the affected device (CPE) and the Auto Configuration Server (ACS) gains full administrative access to the device. The attacker can perform arbitrary administrative operations on the device, such as flashing the device firmware. Details ------- From Wikipedia, the free encyclopedia: " TR-069 (Technical Report 069) is a technical specification that defines an application layer protocol for remote management of end-user devices. It was published by the Broadband Forum and entitled CPE WAN Management Protocol (CWMP). As a bidirectional SOAP/HTTP-based protocol, it provides the communication between customer-premises equipment (CPE) and Auto Configuration Servers (ACS). It includes both a safe auto configuration and the control of other CPE management functions within an integrated framework. The protocol addresses the growing number of different Internet access devices such as modems, routers, gateways, as well as end-user devices which connect to the Internet, such as set-top boxes, and VoIP-phones. The TR-069 standard was developed for automatic configuration and management of these devices by Auto Configuration Servers (ACS). " It is imperative that the link between the customer-premises equipment (CPE) and the Auto Configuration Servers (ACS) is secure. Typically, this is achieved by utilizing transport layer security (HTTPS). If the connection between the CPE and ACS is compromised, the attacker gains full administrative access to the device. The attacker can for example flash the device firmware. Vulnerability ------------- Inteno CWMP implementation (/bin/tr69c) fails to verify the server certificate validity. The default openssl verification method of SSL_VERIFY_NONE is used, meaning that any certificate is accepted (even a self-signed one). The implementation also fails to check if the certificate Common Name (CN) or Subject Alternative Names (SAN) match the host being connected to. As a result, the attacker in a privileged network position can Man-in-the- Middle the ACS connection and gain full administrative access to the target devices. Vulnerable devices ------------------ The vulnerability was discovered from an Inteno EG500 device, firmware version 4.10DNT0270. It is likely that all models that share the same CWMP implementation are vulnerable. By sampling a small set of Inteno firmware images the following models were also found likely to be vulnerable: FG101R2, firmware 3.12DNT21 DG201-R1, firmware 4.06DNT0936 Full list of affected devices is not available due to the vendor's unwillingness to co-operate (see timeline for details). Recommendations to vendor ------------------------- - Validate the certificate chain by utilizing SSL_CTX_set_verify with mode SSL_VERIFY_PEER. Create a verify_callback hook that validates the certificate Common Name (CN) or Subject Alternative Names (SAN) against the intended target host name. - Update openssl to openssl-0.9.8zh, or preferably 1.0.2h End user mitigation ------------------- 1. Disable the TR-069 management in configuration: - Log in to the administrative interface with your credentials - Select "Management" - Select "TR-069 Client" - Select "Inform" "Disable" - Set "ACS URL" to some non-existing value such as: nonsense.invalid - Set "Connection Request Password" to some long, random value - Select "Apply/Save" or 2. If your ISP requires functioning TR-069 CWMP and no fix is available from the ISP, replace the device with a device from another vendor. Message from Vendor to Operator/ISPs ------------------------------------ "If customer (the operator/service provider) have questions they can contact Inteno." Credits ------- This vulnerability was discovered by Harry Sintonen / F-Secure Corporation. Timeline -------- 18.01.2016 discovered the vulnerability 19.01.2016 wrote a preliminary advisory 19.01.2016 contacted Inteno CTO and support regarding secure communication 19.01.2016 sent the preliminary advisory to vendor contact 20.01.2016 sent the preliminary advisory to CERT-FI 16.02.2016 requested a status update from Inteno 01.03.2016 again requested a status update from Inteno 01.03.2016 received a response from Inteno which included a confused and misguided response from Broadcom. Inteno representative then went on to communicate that: "Operator that sells the CPE to end users or run their services over it should request software update from Inteno. Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests." 02.03.2016 sent a request to Inteno to reconsider fixing this issue pre- emptively for their customers (operators and ISPs). underlined the importance of the matter (end users are at risk). CC'd the response to CERT-FI 08.08.2016 notified Inteno about the impending disclosure 02.09.2016 public disclosure