European customer-premises equipment (CPE) kit-maker Inteno has said it isn't going to patch a hole that has been sitting in some of its routers for the last nine months, saying it's not the firm's problem.
That's bad news if a European carrier, Inteno's key customers, dropped one of the problematic devices into your home.
The critical vulnerability, found by F-Secure's senior security consultant Harry Sintonen, allows anyone to get full admin privileges by staging a man-in-the-middle attack on certain types of Inteno routers. The attack is possible because the firmware doesn't validate the Auto Configuration Server (ACS) certificate.
"Inteno CPE WAN Management Protocol (CWMP) implementation (/bin/tr69c) fails to verify the server certificate validity. The default openssl verification method of SSL_VERIFY_NONE is used, meaning that any certificate is accepted (even a self-signed one)," Sintonen said in an advisory.
"The implementation also fails to check if the certificate Common Name (CN) or Subject Alternative Names (SAN) match the host being connected to. As a result, the attacker in a privileged network position can Man-in-the-Middle the ACS connection and gain full administrative access to the target devices."
Sintonen said the attack was verified on an Inteno EG500 router, which is designed for residential use, but that routers that use similar firmware such as the FG101R2 and DG201-R1, are also likely to be vulnerable. Sadly he wasn't able to check that "due to the vendor's unwillingness to co-operate."
Inteno was informed about the flaw on January 19, a day after Sintonen found the vulnerability, and he informed his local CERT a day later. But the firm didn't acknowledge that warning until March and even then it seemed confused about the seriousness of the issue.
"Operator that sells the CPE to end users or run their services over it should request software update from Inteno," Sintonen recounts. "Inteno do not do end user sales on CPE, we only sell through operators so such software features are directed through operators requests."
Sintonen waited for months, then in August told the router maker that it was going to go public. After giving the firm another month – again with no response – he published the advisory.
It should be relatively easy to protect against attacks for ISPs, but that';s assuming they can be bothered to contact Inteno and force them to fix the issue. But there are things the end user can do.
If you have an affected router disable the TR-069 management in configuration and set the ACS URL to a non-existing value, and then set the Connection Request Password to some long, random value. But if your ISP requires a functioning TR-069 CWMP then the only protection is to junk the router and find a new one. ®