Sophos Cloud Optix
About two years ago, a Spanish security researcher named Eduardo Novella found an astonishing bug in the Pirelli P.DGA4001N routers that were used by a Spanish ISP.
After a long wait, he’s now gone public with what must be the most straightforward Proof of Concept “code” ever seen.
Very simply put, Novella claims that the router’s administration web pages are visible on the external (internet-facing) interface.
And by “visible” he means just that.
Imagine that you were on the inside of your network, and you tried to go to a router setup page such as:
http://10.0.0.1/wifisetup.html
You’d expect the router’s web server to redirect you to a login page that would ask you to present a username and password, and then to set a session cookie to authenticate you to access the web GUI’s configuration pages.
Only after you’d authenticated, at least until you logged out or closed your browser, you’d expect to be able to carry out tasks like Wi-Fi setup and more.
In fact, you’d hope that the relevant pages used https:// instead of merely http://, in order to keep your password, your session cookie and the contents of the configuration pages secret.
On the outside of the network, you’d expect no access to the web GUI at all, at least by default.
Of course, if the router had an “administer over external (internet) interface” option, you might consider turning it on, after logging in from the inside, of course. (We’d advise you not to, but the choice is yours.)
Only then would you expect to be able to connect to the web GUI over the internet, hopefully using HTTPS to prevent sniffers and imposters hijacking your connection.
What you wouldn’t expect is that by simply accessing, say:
http://198.51.100.43/wifisetup.html
from the outside, you’d get in automatically, without encryption or authentication.
No HTTPS and no password required.
Novella has published a list of .html administration pages that he claims are exposed in this way.
And with filenames such as dnscfg, certadd, certcaimport and wlsecurity in the list, it looks as though any crooks who knows you’re there could take over your network for just about any nefarious purpose.
That’s the sort of bug that beggars belief – indeed, it would have beggared belief 20 years ago, even before computer security was the serious matter it is today.
What to do?
Servers are often shielded from attack by sandwiching them between two secure gateways (such as a pair of Sophos Free UTMs) to form what’s called a DMZ, or demilitarised zone.
Ignoring the irony of securing a router by putting it between two routers (why not just retire the buggy router and use a secure one instead?), that isn’t feasible here.
The P.DGA4001N seems to be one of those “all in one” connectivity products, combining ASDL modem, network switch’router, and Wi-Fi access point.
So you can’t easily put a secure gateway between the P.DGA4001N and the internet, because the external interface of the latter plugs directly into your phone line.
And you can’t easily put a secure gateway between the router and your Wi-Fi network because the Wi-Fi hardware is wired up inside the P.DGA4001N itself.
The bottom line
If you have a P.DGA4001N or similar:
- Check if there is a firmware update available from your ISP or router vendor.
- Consider running an alternative router operating system such as OpenWRT.
- Consider using an alternative router.
Understanding firewalls and secure gateways
Listen to our Sophos Techknow podcast, Firewalls Demystified
(Audio player above not working? Download, or listen on Soundcloud.)
Sophos UTM Home Edition
Want to build a network DMZ for your computers at home?
Try our award winning UTM.
The Home Edition includes all the Sophos UTM features: email scanning, web filtering, a VPN, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.
In you live in a shared house, or you have children to look out for online, this could be just the product you need.
Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.
Image of SoHo router courtesy of Shutterstock.
You wouldn’t get to the router on that IP externally because it’s not an externally routable address… If, however, you try on the PUBLIC IP of the DSL/Fibre connection what happens then?
See reply to Julio Martinez below.
I meant you to interpret “10.0.0.1” to mean “replace in your mind with an address meaningful to you.”
But I should have used an official reserved-for-documentation public IP number for clarity.
Article has been updated. Apologies.
Will you guys make a demo video for setting up a home UTM with typical settings. Your online videos work however they seem more geared towards enterprise users and don’t show settings you would really need for at home.
I’ve passed this on to our support folks who make the videos. We’ll let you know if/when they make one. Thanks for the feedback!
I’m a bit confused. You mention that you can access “http://10.0.0.1/wifisetup.html” from the “outside”…but isn’t 10.x.x.x a private address? How can you route to it from an external address? Unless I’m missing something?
See reply to Julio Martinez below.
I meant you to interpret “10.0.0.1” to mean “replace in your mind with an address meaningful to you.”
But I should have used an official reserved-for-documentation public IP number for clarity.
Article has been updated. Apologies.
I have not yet been able to figure out how to use POP3 email protection with the home UTM. In fact, a comprehensive instruction manual would be greatly appreciated. After reading comments on your forums, it appears even fairly skilled users are having setup problems. But I must say, your home UTM is absolutely outstanding! It has stopped multiple attacks on my network, and the reporting and logging is excellent.
There is a comprehensive manual included with the UTM.
In the UTM web console, on the left menu, choose Support, then below support, choose Documentation. Choose your language and download the PDF. POP3 info is on p349. Note it will open the PDF in a pop-up so you may have to enable pop-ups for the UTM in your browser.
I haven’t used the POP3 protection becasue I have no need, but looking at the manual it seems that the POP3 protection is meant for protecting clients (outlook, thunderbird etc.) and is not meant to protect an internal server.
You would enable the POP3 proxy when you don’t trust the external POP3 server’s ability to prevent spam or viruses. e.g. you don’t trust that verizon or comcast is doing a good enough job, or your located in some country without decent ISPs that do a decent job of scanning email.
The POP3 protection is a proxy much like Squid. When your Outlook or Thunderbird connect to the external POP3 server, the Sophos proxy will “intercept” that connection and get the mail itself, scan it, filter it, and then pass it along to your Thunderbird or Outlook client. This may mean you’ll have to adjust the POP3 settings in the client and make the client’s timeout setting longer, since it will take longer to get the email as Sophos scanning does add extra time.
The UTM is able to track which email account is which without the need for you to try and manage POP3 accounts on the UTM. In other words, it’s pretty seamless and there is nowhere to “add” POP3 accounts since it doesn’t need them.
My recomendation would be to turn on the proxy and leave it at that. Fetch some POP3 email and watch the live log, and see how it goes. Check the admin console for items that may be quarantined.
Once you are familiar with it then try the more complex prefetching if you feel you need it.
how would you exploit this from the internet? internet will not route towards your home router packets towards 10.0.0.1, you’d need adirect connection to the external port.or will it accept also sent to the regular IP/routerlogin? Anyway, it looks quite bad.
I have clarified a bit.
In the article, I now use “10.0.0.1” as my made-up internal IP number, and “198.51.100.43” as my made-up external IP, which looks a lot more realistic!
(The network 198.51.100.0/24 is officially designated TEST-NET-2 and reserved for documentation in RFC 5737. I should have used one of the TEST-NET numbers from the start…apologies for that.)
This vulnerability is also affecting to Pirellli routers in Argentina
I am unable to receive email notifications from my home UTM. Why is this? It has the correct email address.
Sophos UTM does not support wireless cards so the proposed laptop “solution” does not work AT ALL. It supports some USB ethernet interfaces as an alternative, though.
See comment below from @Rob. (I replied backwards.) I’ve chopped that bit out of the article. Sorry about that.
“If you do decide to try the Sophos UTM for free at home, you can use an old laptop with a wired network cable for the external (internet-facing) connection and a wireless card for your inside network.”
One challenge with using a laptop is there is no driver support for the integrated WiFi adapter. A USB-Ethernet dongle won’t work for the same reason – no driver. Maybe the old slide-in cards would work here but you may still run into the driver/support problem. So I think a laptop just won’t cut it for this kind of thing.
I removed that suggestion from the article. I think that you’d have to use a Sophos Access Point for it to be manageable from the UTM. And those…aren’t free for home use 🙂
Ive always known that there must be a secret way into every routing device maby for major security reasons or just a fly-on-the-wall point of view, and this in a way proves it, its just how secret or easy to find is the back door!!
To be fair, it doesn’t prove that *every* fimrware version for *every* router has shabby security 🙂
UTM won’t recognize a wireless card if the Linux distro that UTM runs on has no driver for said wireless card/adapter. An old laptop really wouldn’t work as a UTM firewall unless it magically had two integrated NICs.