cancel
Showing results for 
Search instead for 
Did you mean: 

Major security hole in Zoom X3 modem/router

Community Veteran
Posts: 14,469
Registered: 30-07-2007

Major security hole in Zoom X3 modem/router

If you are currently using a Zoom X3 modem please read the following news item from ADSLguide about a security hole in the fireware which could leave you open to a DoS (denial of service) attack.

A temp workaround to stop this is also included until Zoom issue a new firmware release to correct the problem.

Full details here: http://www.adslguide.org.uk/newsarchive.asp?item=1750
2 REPLIES
N/A

Major security hole in Zoom X3 modem/router

its not just a DoS.. its more seriouse than that... well there is another problem with the router if not this one


Quote


i have just installed an adsl modem sold under the brand of Zoom X3

http://www.zoom.com/products/adsl_overview.html

and was apalled to find that an nmap scan of the external address
immediately came up with the following:

PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
254/tcp open unknown
255/tcp open unknown

ports 23 and 80 give access to the configuration menu and html interface
as would be expected, but, although you can control access to the html
interface, there is no control over the telnet port other than password.

worse still, telnetting to port 254 gives you access to another menu,
which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
3.27", and uses the *DEFAULT* HTML management password, even if you have
changed it to something else. i.e. changing the HTML password does not
change this one. from this menu you can change DSL settings and issue a
complete "Factory Reset". there is a menu option to change the password,
but this does not appear to work.

port 255 accepts connections, but I have not investigated further.

at the minimum this carries a risk of a trivial DOS attack (factory
reset and everthing stops working), and may actually have other more
serious implications.

i am disgusted that in this day and age products like this are still
being shipped with such basic insecurities, and, accordingly, will not
be wasting my time by looking into it any further, and will be taking
the router back and exchanging it for something (hopefully) better
thought out.

to their credit, Zoom responded immediately with a workaround when i
reported the problem, so they are clearly already aware. fyi, the
workaround is to create dummy "Virtual Servers" on each of the ports
that blackhole any incoming connections. this appears to work.

connexant list several other high profile retail modem manufacturers and
pc oems, so i leave it as an exercise for the reader to work out other
manufacturer/vulnerability combinations.

http://www.conexant.com/support/md_supportlinks.html

enjoy,
Adam

Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

Major security hole in Zoom X3 modem/router

yeah old issue easy work around

1. set a DMZ lan IP to a false IP that doesnt exist, that stealths the router.
2. do same the for ports 254/5 in virtual server

There is a Origo firmware version that might work for that router that fixes this, as the tech support said they make the firmware for zoom etc that rebrand the cheapie 4 port routers using the conexant chipset. Just making slight changes, but check with who ever is giving support.
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017