Type: Open port
Affects: Singtel's firmware on 2wire 5012NV-002
Version: (HW version: 2701-000808-004, SW version: 9.3.1.29)
(Unable to ascertain if other versions are affected as I do not have access to the firmware)
Severity: High
Ease of exploit: Low
Impact: Allows an attacker to gain access to the admin page of the router.
Technical details:
The affected routers expose the admin page on port 2046 of the WAN interface. Of all the routers I have seen, none have required any form of authentication. Targets can be found very quickly by scanning port 2046 of IP addresses which Singtel issues to its subscribers. A quick scan of 1275 addresses found approximately 10 hosts which were vulnerable. Compromising the router is as simple as pointing your browser to http://xxx.xxx.xxx.xxx:2046.
Potential exploits (in order of severity):
- Routing table poisoning - The attacker can add a static route to direct traffic from a certain subset of IP addresses to an address which he controls. Traffic can be sniffed or a man-in-the-middle attack can be executed, compromising the privacy of the victim.
- Rouge firmware upload - The attacker can upload a modified firmware with any type of exploit built-in for his use. e.g. a proxy server to redirect traffic. Note: There may be mechanisms in place to prevent it from occurring. e.g. firmware has to be signed by manufacturer's key. I have not tested it out.
- Denial-of-service - The attacker can change the wifi password thus locking out the victim's wireless devices. He could also repeatedly reboot the router.
Mitigation techniques:
- Setting admin password for web interface - May not work as password may be set only for web page exposed on port 80 of LAN interface. I have not come across any affected routers which have http basic auth enabled on port 2046 of WAN interface.
- Using a different router not affected by this vulnerability. However, this option may not be feasible for many subscribers as mio TV, an IPTV service offered by Singtel will not work on a different router without prior configuration.
This issue was brought to SingTel's attention on the 23 Oct 13. I received a call in Jan, informing me that investigations by the network team confirmed the existence of the vulnerability. A patch has since been released and rolled out to all affected subscribers.