Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2015-6498

From: <csirt () swisscom com>
Date: Mon, 2 Nov 2015 09:17:00 +0000
###################################################################################
#
# SWISSCOM CSIRT ADVISORY - https://www.swisscom.ch/en/about/sustainability/digital-
#switzerland/security.html
#
##################################################################################
#
# CVE ID:   CVE-2015-6498
# Product:  Home Device Manager
# Vendor:   Alcatel-Lucent
# Subject:  Code vulnerability, remotely exploitable
# Finder:   Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne
# Coord:    Philippe Cuany (csirt _at_ swisscom.com)
# Date:     Nov 02nd 2015
#
##################################################################################


Description
-----------
A vulnerability has been discovered in the TR069 protocol that can potentially
affect all Automatic Configuration Servers (ACS). The issue has been fixed in
the Home Device Manager (HDM) product from Alcatel-Lucent with an anti-spoofing
filter.  HDM allows service providers to remotely manage CPEs, such as
residential gateways, IP set-top boxes, and VoIP terminal adapters that comprise
a home networking environment.


Product
-------
Alcatel-Lucent Home Device Manager, version prior to 4.1.10 may be affected if
they have no filtering in place, which was provided as a customer specific
extension already by Alcatel-Lucent, or have foreseen other additional
authorization checks.


Vulnerability
-------------
The vulnerability allows an attacker to perform impersonation attacks by
spoofing CPE using tr-069 (cwmp) Protocol. An attacker could gain unauthorized
access to third-party SIP Credentials for the spoofed device and perform illegal
activities (phone fraud). The vulnerability has been tested and confirmed.


Remediation
-----------
Update to Home Device Manager Version 4.1.10 (or higher) or 4.2.2 (or higher)
and activate the anti-spoofing filters, in case there is not already a customer
specific filter or authorization check in place.


Acknowledgments
---------------
Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne for the discovery and
notification about the vulnerability.


Milestones
----------
Jul 13th 2015     Details about the vulnerability are communicated to Swisscom
Jul 14th 2015     HDM anti-spoffing filter available
Aug 13th 2015     CVE ID requested at MITRE
Aug 18th 2015     CVE ID 2015-6498 assigned by MITRE
Nov 02nd 2015     Public Release of Advisory

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: