Vulnerability Development mailing list archives

Re: DOCSIS vulnerability

From: Siegfried Loeffler <siegfried.loeffler () gmx net>
Date: 20 Mar 2002 16:09:47 -0000


In-Reply-To: <Pine.LNX.4.43.0203120939090.9902-200000 () mail securityfocus com>

I think the analysis of this security issue has to be 
done in more detail. The DOCSIS standard and most 
equipment seems to implement a method for 
authenticating configuration files. 
It is true that the configuration file utility mentioned 
(http://docsis.sourceforge.net) does allow to create 
new configuration files. 

HOWEVER, if the operator has activated security 
there is a verification of an HMAC-MD5 digest (see 
DOCSIS spec SP-RFIv1.1-I08-020301) of the cable 
modem configuration file performed by the CMTS. 
The security hole described is thus in my opinion only 
applicable if security is switched off. 

However, there is a security issue nevertheless: It 
seems to me that using MD5-HMAC is 
not "unbreakable" with reasonable CPU power. Could 
somebody comment on the approximate time 
required with a "modern" PC to break this?

Current thread:

Re: DOCSIS vulnerability, (continued)
- - Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
    - Re: DOCSIS vulnerability Mark (Mar 12)
- Re: DOCSIS vulnerability Dave Ahmad (Mar 12)
- Re: DOCSIS vulnerability Laurence Brockman (Mar 12)
- RE: DOCSIS vulnerability Rense Buijen (Mar 12)
  - RE: DOCSIS vulnerability Justin Ellison (Mar 12)
    - Re: DOCSIS vulnerability Rob Koliha (Mar 12)
    - Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 13)
  - Re: DOCSIS vulnerability Matthew S. Hallacy (Mar 12)
- Re: DOCSIS vulnerability dana shetterly (Mar 19)
- Re: DOCSIS vulnerability Siegfried Loeffler (Mar 20)
- Re: DOCSIS vulnerability Adam Wheeler (Mar 21)
  - Wireless device vulnerability? Meritt James (Mar 22)
    - Re: Wireless device vulnerability? J Edgar Hoover (Mar 22)
  - Re: DOCSIS vulnerability Rob Koliha (Mar 22)