RE: Ericsson HM220dp ADSL modem Insecure Web Administration Vulne rability

[Johan Kölhi (EAB) <Johan.Kolhi () etx ericsson se>]

On behalf of Peter Linder, Technical Director, Ericsson Ethernet Broadband Access:


On February 11 a report was issued on BugTraq related to Ericsson's DSL modem HM 220.
The initial report included some statements that could be misinterpreted  and in order to avoid 
any further confusion on this subject we would like provide the following clarifications.

Ericsson hm220 is a flexible ADSL modem targeting the residential market.
For small offices Ericsson recommend hm230 (standard ADSL ), hn310 (ADSL Annex J 
support 3Mbps upstream) and hn800 (SHDSL) which has a feature set that is targeted towards
the small business customers needs.

hm220 can be operated in two modes, bridged and routed mode. There is no possibility to remotely
manage the modem from the WAN side in netither of these two modes. It is possible to perform local 
administration routines from a PC connceted to the LAN side of the modem but that option is restricted
to the Routed mode only. No such options exist for the products configured for Bridged mode operation.

Ericsson have scheduled a maintenance release for March 15 for the hm220 software that will eliminate
any risk for access to the modem being manipulated from the LAN side.

Any end-user experiencing service interuption through unwanted actions form the PC towards the modem 
can perform a factory reset, which is described in the user manual, which will return all initial installations.

All Ericsson ADSL modems launched after the hm220 have an increased security feature set for residential 
as well as small business users and the indication that other products in the hm and hn product families 
would be vulnerable is not correct.


Peter Linder
Technical Director, Ethernet Broadband Access

Business Unit Systems
Ericsson AB
Phone: + 46 8 719 2974
e-mail: peter.linder () ericsson com