D1000 vulnerability

Dulchie

Is Eir aware of this ?
If so what are you doing to correct it ?


http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

_Puma_

Seems Eir have been issuing insecurely configured routers to their customers and are leaving them wide open to remote takeovers. It has already been verified by independent sources to the original exploit. 

http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/

Have Eir put in place a contingency measure to address the threat yet? Leaves you wondering what sort of Security penetration test were carried out before the bulk issuing of these routers to their customers. Heads should roll for this.

Eir: Pamela

[font=Verdana, sans-serif]Hi Guys,[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]Thanks for getting in touch.[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]We are currently working with our supplier to determine if there is any risk to that specific modem. We will be in a better position to answer your queries this afternoon and we will publish an update online at http://support.eir.ie[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]Thanks,[/font]
[font=Verdana, sans-serif]Pamela [/font]

[font=Verdana, sans-serif] [/font]

edanto

Any update on this?

roast

Still no update on the support site....

edanto

I'd say eir legal have been telling customer service DON'T ADMIT ANYTHING while they hope it's going to go away.

mpok

Irrespective of the vulnerability or otherwise of the modem why on earth is the CPE management port accessible to anyone other than Eir's operation center? I can see that port 7547 on my F1000 modem is open from my phone (on Meteor) Defense in depth! The bad guys shouldn't be able to get to the modems in the first place and the modems should be secure as well. Simple filter to allow Eir CPE devices to connect to Eir management servers and vice versa with all other TR-069 traffic blocked is only a few lines in the configuration on any respectable router. 

donspeekinglesh

And it's being exploited: http://arstechnica.co.uk/security/2016/11/notorious-iot-botnets-weaponize-new-flaw-found-in-millions-of-home-routers/

Wombatman

Have Eir customers been made aware of this problem?

Has their been a press release from Eir?

Detailed info here from Nov 7th. Why the delay in addressing this problem?

https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

Edit: Just saw this
https://community.eir.ie/broadband-25/security-issue-eir-modems-288074

roast

Absolutely no statement from Eir yet, which is disgraceful.

These exploits should have been picked up on before pushing the firmware out or, at the very least, acknowledged in a timely manner once the flaw was public knowledge. The fact that there has been no acknowledgement from Eir in the weeks after the flaw was publicized just goes to show the lack of regard Eir have for security.

Wombatman

Looks like German Telekom is now rolling out a firmware update for the affected routers. Details (in German) are here:
https://www.telekom.de/hilfe/geraete-zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v

Affected useres are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.

Details here:
https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759

Wombatman

http://www.independent.ie/irish-news/2000-eir-customers-hacked-as-130000-more-put-at-risk-35271309.html

The company spokesman said that Eir was informed two weeks ago about the vulnerability and immediately began to fix the modems remotely. However, last Thursday engineers discovered that almost 2,000 of the modems had been breached "by a third party".

tphase

just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?

Eir: Pamela

[font=Verdana, sans-serif]Hi Guys,[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]- Pamela [/font]

[font=Verdana, sans-serif] [/font]

roast

I see Eir finally acknowledged it on the support site. Good to know customer security is a primary concern.

https://community.eir.ie/service-updates-70/modem-reset-instructions-06122016-288871

2,000 is not a "small number".

PeterTheNinth

Just did a scan of a few of our sites using NMAP with the following command:

nmap -p 7547 -T4 -Pn -A <target>

Discovered open port 7547/tcp on 86.43.???.???
Discovered open port 7547/tcp on 83.70.???.???
Discovered open port 7547/tcp on 86.45.???.???

A few of them are showing up as having the open port alright. We use quite a few in bridge mode so they wouldn't be vulnerable to this vulnerability. Can you not just forward port 7547 on to a nonexistent address? (i.e. so that the router itself does not respond to requests on that port)

PeterTheNinth

I just noticed on my port scan that the same port is showing up as being open on the F1000 and F2000 E-Fibre modems. I wonder are these also vulnerable to the same issue?

rat_race

What's funny about this, is that I already told Eircom about a major security flaw in the D1000, over two years ago!

http://www.boards.ie/ttfthread/2057337389

I am not in the slightest bit surprised with this new BS. Remember around 2001, Eircom was hacked, exposing 130,000 usernames and passwords? And there have been dozens of documented hacks since. Now this.

Eir, start behaving like an ISP.


Edit: the security flaw back then was different, but still a massive red flag that they should sort their sh*t out!

Eir: Pamela

PeterTheNinth wrote: »

I just noticed on my port scan that the same port is showing up as being open on the F1000 and F2000 E-Fibre modems. I wonder are these also vulnerable to the same issue?

[font=Verdana, sans-serif]Hi [/font][font=Verdana, sans-serif] [/font][font=Verdana, sans-serif]PeterTheNinth,[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]The efibre modems are not affected, if you have any concerns I would recommend contacting our team on 1901 to discuss this further.[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]- Pamela [/font]

[font=Verdana, sans-serif] [/font]

tphase

tphase wrote: »

just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?

Eir: Pamela wrote: »

[font=Verdana, sans-serif]Hi Guys,[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]- Pamela [/font]

[font=Verdana, sans-serif] [/font]

 I assume resetting the modem will allow eir to push a patch to fix the vulnerability however non-eir customers who happen to be using these modems will not have the patch applied - is that correct?

Eir: Pamela

tphase wrote: »

tphase wrote: »

just wondering what are the options for people who use these devices but are not eir customers? Will a firmware update be made available to download?

Eir: Pamela wrote: »

[font=Verdana, sans-serif]Hi Guys,[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]You will find all the relevant information on this [/font][font=Verdana, sans-serif]here[/font][font=Verdana, sans-serif] to reset your password  however if you have any further queries or need assistance we have a dedicated team on 1901 that will be happy to assist you.  [/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]- Pamela [/font]

[font=Verdana, sans-serif] [/font]

 I assume resetting the modem will allow eir to push a patch to fix the vulnerability however non-eir customers who happen to be using these modems will not have the patch applied - is that correct?

[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]I'm afraid I would be unable to advise on this from here [/font][font=Verdana, sans-serif]tphase. [/font][font=Verdana, sans-serif]Our dedicated team on 1901 will be able to discuss this with you in further detail.[/font]
[font=Verdana, sans-serif] [/font]
[font=Verdana, sans-serif]Thanks,[/font]
[font=Verdana, sans-serif]Pamela [/font]

[font=Verdana, sans-serif] [/font]