6th Apr 2003 [SBWID-6114]
COMMAND
	D-Link Broadband Modem/Router
SYSTEMS AFFECTED
	D-Link DSL-300G/DSL-300G+
PROBLEM
	Andrei Mikhailovsky  of  Arhont  Information  Security  [www.arhont.com]
	says :
	While performing a general security testing of a network, we have  found
	several security vulnerability issues  with  the  D-Link  DSL  Broadband
	Modems models: DSL-300G and DSL-300G+. This issue is similar to the  one
	found          in          D-link          DSL-500          modem/router
	(http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0).
	 Issue 1:
	 ========
	The default router installation enables SNMP (Simple Network  Management
	Protocol) server with default community names for  read  and  read/write
	access. The models DSL-300G and DSL-300G+ only allow  SNMP  access  from
	the LAN (Local Area Network) side.
	
	andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
	public 192.168.0.1 -v 1
	sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
	ANNEXA  (Oct 18 2002) R2.05.b4t9uk
	Copyright (c) 2000 Dlink Corp.
	sysObjectID.0 = OID: enterprises.171.10.30.1
	sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01
	...
	...
	
	The community name: public
	allows read access to the mentioned devices,  allowing  enumeration  and
	gathering of sensitive network information.
	The community name: private
	allows read/write  access  to  devices,  thus  allowing  change  of  the
	network settings of the broadband modem.
	Impact: This vulnerability allows local malicious attackers to  retrieve
	and change network settings of the modem.
	 Issue2:
	 =======
	Default remote administration access password  via  telnet  can  not  be
	changed during the setup via web interface. Even after  configuring  the
	modem  in  web  interface  and  changing  default  password,   malicious
	attackers can access the unit  with  telnet  and  default  administrator
	password "private".
	 Issue 3:
	 ========
	The ISP account information including login name and password is  stored
	on the modem without encryption, It is therefore  possible  to  retrieve
	this information with simple SNMP gathering utility such as snmpwalk:
	
	andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
	public 192.168.0.1 -v 1
	sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
	ANNEXA  (Oct 18 2002) R2.05.b4t9uk
	Copyright (c) 2000 Dlink Corp.
	sysObjectID.0 = OID: enterprises.171.10.30.1
	...
	...
	...
	transmission.23.2.3.1.5.2.1 = STRING:
	"username@dsl-provider"
	...
	...
	transmission.23.2.3.1.6.2.1 = STRING: "password-string"
	...
	...
	... 
	
	Impact: This vulnerability allows LAN malicious  attackers  to  retrieve
	confidential information.
SOLUTION
	Possible Solutions:
	1. Firewall UDP port 161 from LAN/WAN sides, as it is  not  possible  to
	disable SNMP service from the web management interface.
	2. You can change or disable snmp default settings by connecting to  the
	modem/router  using  telnet  with  password  string:  "private".   (This
	solution    has     been     pointed     out     by     Snowy     Maslov
	<[email protected]>)
	3. Manually change the  default  password  via  telnet  and  reboot  the
	modem.
	4. As a temporary solution you should firewall UDP  port  161  from  LAN
	sides, as it is not possible  to  disable  SNMP  service  from  the  web
	management interface.