topic Router Vulnerabilities Found in Tech Help - Software/Hardware etc

Router Vulnerabilities Found

pascoej — Mon, 11 Feb 2019 14:46:44 GMT

Hi - I've used a Trend Micro scanner and my Sagemcom router has the following vulnerabilities:

-SSLv2 Drown Attack Vulnerability

-SSL Poodle Attack Vulnerability

-Device has an open port which may be access from the internet

How do I fix these please?

Thanks.

Re: Router Vulnerabilities Found

Gel — Mon, 11 Feb 2019 17:04:36 GMT

Buy your own probably; you are unable to do any s/ware updates to any PN supplied (+ locked) router.

Re: Router Vulnerabilities Found

pascoej — Mon, 11 Feb 2019 21:35:43 GMT

Hi - I need to find out if the latest firmware has fixed these vulnerabilities and when it was last updated.

Re: Router Vulnerabilities Found

7up — Tue, 12 Feb 2019 00:54:47 GMT

As for fixes.. @bobpullen ?

Re: Router Vulnerabilities Found

Baldrick1 — Tue, 12 Feb 2019 09:50:25 GMT

You shouldn't take every warning thrown up by security scans to be definite evidence of a problem.

I suspect that the port used by Plusnet for updating the firmware is being detected. If so then as I understand it this is not a security issue, is present on millions of routers, and will never be closed off.

Assuming that this is the cause then you can either live with it or buy you own third party router.

Re: Router Vulnerabilities Found

bobpullen — Tue, 12 Feb 2019 13:59:16 GMT

@pascoej, your router was upgraded to the latest available build at the start of the month. I don't suppose you can point me in the direction of the scanner you're using?

@Baldrick1 is probably right regarding the open port. It's likely to be TCP port 4567 that is used by the Plusnet Hub One for remote TR069 management/configuration.

Re: Router Vulnerabilities Found

pascoej — Tue, 12 Feb 2019 15:06:54 GMT

Hi,

I used a Trend Micro scanner and nmap, nmap confirms what the Trend Micro scanner sees. Is there anything I can do about the SSLv2 Drown and SSL Poodle vulnerabilities on the router? Or do I have to buy my own router so i can block these ports?

Thanks.

Re: Router Vulnerabilities Found

Anonymous — Tue, 12 Feb 2019 16:56:16 GMT

The issue is that the router is using SSLv2 or SSLv3 encryption, both of which are obsolete and vulnerable to attack.

The router firmware needs to be updated to use TLS (ideally v1.3) for encrypting HTTPS.

If there is also a problem with the TR-069 port being open, then it shouldn't be, as the TR-069 protocol is initiated by the device to be configured (i.e. the router) and therefore there is no need for the WAN facing port to be open, as the TR-069 server shouldn't be remotely accessing the router unsolicited.

Even if the port did have to be open, then it should be restricted to only respond to packets from the FQDN of the Plusnet TR-069 server, and should be invisible to probes from any other source.

@pascoej - what ports is nmap reporting as being open ?