Hello Swinog,
we've recently audited a small network and found that the customer configured devices were relatively secure configured. However the Swisscom Router/WiFi device (Zylex P-870HN-53b) seems to have the old uPNP exploit with a firmware that is not being updated anymore (upnp was disabled though - so this is hopefully not a big issue).
However, when scanning the router from outside, the port 7547 is openly reachable from the internet, which turns out to be TR 069 [0].
My question to the list is, if anyone can comment on the security of TR-069? And if it is a potential or real security problem to have the port open world wide?
We have never used TR-069 it so far, but my assumption would be that this port should only be reachable from a Swisscom admin network, however it is open world wide. As far as I can see the communication on port 7547 is plain http with http auth, which doesn't look very safe to me.
Does anyone here use TR-069 and if so, what is your the default policy for accessing the port?
Thanks a lot for your help and greetings from the last snow!
Nico
[0] https://en.wikipedia.org/wiki/TR-069
this port should only be reachable from a Swisscom admin network, however it is open world wide.
Erinnert mich stark an: https://media.ccc.de/v/32c3-7133-beyond_your_cable_modem
-- Markus Ritzmann
Am Samstag, 26. März 2016 schrieb Nico Schottelius:
we've recently audited a small network and found that the customer configured devices were relatively secure configured. However the Swisscom Router/WiFi device (Zylex P-870HN-53b) seems to have the old uPNP exploit with a firmware that is not being updated anymore (upnp was disabled though - so this is hopefully not a big issue).
Be carefull with those Zyxels, the last firmware update I installed on the similar P-870H disabled the firewall and I ended up wit an open DNS resolver. It's not nice to get noticed about this by your ISP. Don't even think about using the IPv6-stack in those devices, the built- in "firewall" doesn't know anything about IPv6 and lets any traffic pass (and we are back at the open DNS resolver, it is just harder to find and exploit the device over IPv6). Unfortunately, I can't recommand any other brand or device. In general, don't disable NAT on those plastic devices, you are entering badly tested territory.
Greetings
Peter
I use them only as Bridge and run the PPPoE / DHCP on another device, preferrably Pfsense or Mikrotik.... Solves all issues :)
Silvan
----- Ursprüngliche Mail ----- Von: "Peter Rohrer" peter.rohrer@gmx.ch An: swinog@lists.swinog.ch Gesendet: Sonntag, 27. März 2016 19:57:45 Betreff: Re: [swinog] TR-069 & Security / Swisscom Router
Am Samstag, 26. März 2016 schrieb Nico Schottelius:
we've recently audited a small network and found that the customer configured devices were relatively secure configured. However the Swisscom Router/WiFi device (Zylex P-870HN-53b) seems to have the old uPNP exploit with a firmware that is not being updated anymore (upnp was disabled though - so this is hopefully not a big issue).
Be carefull with those Zyxels, the last firmware update I installed on the similar P-870H disabled the firewall and I ended up wit an open DNS resolver. It's not nice to get noticed about this by your ISP. Don't even think about using the IPv6-stack in those devices, the built- in "firewall" doesn't know anything about IPv6 and lets any traffic pass (and we are back at the open DNS resolver, it is just harder to find and exploit the device over IPv6). Unfortunately, I can't recommand any other brand or device. In general, don't disable NAT on those plastic devices, you are entering badly tested territory.
Greetings
Peter
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog