The security researcher Harry Sintonen publicly disclosed a serious vulnerability found in several Inteno routers that can be exploited to gain full remote administrative access.
The Inteno Exploits Are Related to the CWMP Implementation
Harry Sintonen of F-Secure has revealed a serous security issue in several router models made by the Swedish company Inteno. The problem was detected in the validation of the Auto Configuration Server (ACS) certificate.
This is a feature of the CWMP (TR-069) protocol known as CWMP or CPE WAN management protocol. This is a technology that is used to remote manage network devices and is used as a safe configuration method for a lot of business and consumer devices including modems, routers, gateways, VoIP phones and others. In the last ten years, a lot of home devices behind various gateways and firewalls have included support for the protocol making it a popular choice among vendors. The Home Gateway Initiative (HGI), Digital Video Broadcasting (DVB) and WiMax endorse the standard in the implementation of various devices.
As a result some Internet service providers often bundle CPE-enabled devices that the user has to set up on their own. Most providers offer two types of connection; either they supply a preconfigured router that users can configure and update themselves, or they bring they own device to connect to the service.
In both cases, the CWMP protocol is used by supported devices by the ISP to configure the settings for Internet access. The information is downloaded from the Auto configuration server (ACS) when two conditions are met – a secure and authenticated connection. These are used to prevent eavesdropping and man in the middle attacks. The HTTPS protocol is used in the process however in the case of the Inteno routers all of this was not properly handled.
The issue itself is found in the authentication process. The affected devices do not check properly the connection for the right ISP call out name and the digital certificate. This can potentially be exploited by a man in the middle attack. Criminal users can potentially trick unsuspecting users and the hijack the victim device using this method. Full remote control access can be obtained which can have serious implications for all connected devices.
The exploit was demonstrated on an Inteno EG500 model with firmware version 4.10DNT0270. According to the researcher other products, such may also be affected including FG101R2, firmware 3.12DNT21, and DG201-R1, firmware 4.06DNT0936.
Sintonen offers two user mitigation solutions:
1. Disable the TR-069 management in configuration:
– Log in to the administrative interface with your credentials
– Select “Management”
– Select “TR-069 Client”
– Select “Inform” “Disable”
– Set “ACS URL” to some non-existing value such as: nonsense.invalid
– Set “Connection Request Password” to some long, random value
– Select “Apply/Save”
2. If your ISP requires functioning TR-069 CWMP and no fix is available from
the ISP, replace the device with a device from another vendor.
The security expert revealed that he had contacted the vendor about amending the problem. However the company has not responded in the appropriate manner. They responded that the Internet operator is responsible for observing the products for security issues. Sintonen was in communication from January 2016 to March 2016 and did not receive a committed response from Inteno; this is the reason why the issues are reported publicly before most of the devices have received patches.