Singtel's 5012NV-002 vulnerability

Type: Open port

Affects: Singtel's firmware on 2wire 5012NV-002

Version: (HW version: 2701-000808-004, SW version: 9.3.1.29)

(Unable to ascertain if other versions are affected as I do not have access to the firmware)

Severity: High

Ease of exploit: Low

Impact: Allows an attacker to gain access to the admin page of the router.

Technical details:

The affected routers expose the admin page on port 2046 of the WAN interface. Of all the routers I have seen, none have required any form of authentication. Targets can be found very quickly by scanning port 2046 of IP addresses which Singtel issues to its subscribers. A quick scan of 1275 addresses found approximately 10 hosts which were vulnerable. Compromising the router is as simple as pointing your browser to http://xxx.xxx.xxx.xxx:2046.

Potential exploits (in order of severity):

  1. Routing table poisoning - The attacker can add a static route to direct traffic from a certain subset of IP addresses to an address which he controls. Traffic can be sniffed or a man-in-the-middle attack can be executed, compromising the privacy of the victim.
  2. Rouge firmware upload - The attacker can upload a modified firmware with any type of exploit built-in for his use. e.g. a proxy server to redirect traffic. Note: There may be mechanisms in place to prevent it from occurring. e.g. firmware has to be signed by manufacturer's key. I have not tested it out.
  3. Denial-of-service - The attacker can change the wifi password thus locking out the victim's wireless devices. He could also repeatedly reboot the router.

Mitigation techniques:

  1. Setting admin password for web interface - May not work as password may be set only for web page exposed on port 80 of LAN interface. I have not come across any affected routers which have http basic auth enabled on port 2046 of WAN interface.
  2. Using a different router not affected by this vulnerability. However, this option may not be feasible for many subscribers as mio TV, an IPTV service offered by Singtel will not work on a different router without prior configuration.

This issue was brought to SingTel's attention on the 23 Oct 13. I received a call in Jan, informing me that investigations by the network team confirmed the existence of the vulnerability. A patch has since been released and rolled out to all affected subscribers.



Tags: Security

Similar Articles

Rules of Engagement in Cyberspace - Rules of engagement is a concept familiar to most military personnels worldwide. The basic premise of having rules of engagement is to ensure an appropriate level of response or reaction to a ...
Biometrics and Passwords - Many people have the misconception that biometrics such as fingerprint readers are more secure than passwords. It probably stems from Hollywood spy movies showing Top Secret facilities protected ...
The Golden Key - TSA Locks and Encryption - Earlier this year, TSA master keys were leaked and ordinary folks were supposedly able to 3D print these keys and open any luggage with a TSA lock. Despite the huge uproar, I personally feel that ...
Negative space - Sometimes, the lack of information is valuable information. The Washington Post reports that according to unnamed current and former US officials, the CIA pulled "a number of officers" from the ...