Solved: Re: Insecure Management Interface on a Modem

ericgeater · ‎10-24-2019

Good morning, y'all. If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?

If you think it's weird that SSH isn't already configured, you'll really think it's strange knowing WAN-side HTTP can't be turned off.

thanks!

-----------
A claim is as good as its veracity.

CraginS · ‎10-24-2019

Uh.. buy a new modem?

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

denbesten · ‎10-24-2019

There is no safe number. You are one packet away from a successful replay-attack.

I would use the longest string supported by the vendor until such time that the vendor can provide a better solution or I was able to switch vendors.

ericgeater · ‎10-24-2019

I called their support desk, and they understand the nature of my complaint. I'm hoping they know of a solution that wasn't spelled out in their Quick Start guide.

-----------
A claim is as good as its veracity.

ericgeater · ‎10-24-2019

I would imagine the greater threat to be having always-on access to the HTTP interface, and therefore unlimited tries to guess the password. How would a replay attack work here? I think I've forgotten that... it's been a while.

-----------
A claim is as good as its veracity.

Shannon · ‎10-24-2019

@ericgeater wrote:
If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?

Like @denbesten said, changing the length of your password isn't going to make any difference here.

@ericgeater wrote:
... you'll really think it's strange knowing WAN-side HTTP can't be turned off.

If the ability to login via the network can't be disabled, it's a surprise & a big concern. If the vendor has been so lax with the security of this product, I'd suggest you also do an online lookup to see if it has other security concerns.

Information Security policies you set in your organization should dictate minimal security requirements, and state how to handle exceptions.

Treat this as a risk. Prepare a report portraying the impact & probability in a matrix, say that the vendor has offered no solution & there's nothing much to mitigate this, and finally, recommend that the modem be replaced.

Send the report to management, after which they will have to decide whether to accept the risk or treat it.

This is essentially a 'cover your a**' strategy --- if there's any negative impact due to this risk, you might end up taking the fall if you never brought it to management's attention.

(To play it absolutely safe, get them to give you a written confirmation about accepting the risk before the go-live.)

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

Shannon · ‎10-24-2019

The vulnerabilities in this situation would be the inability to disable HTTP logins via the network, and the lack of support for SSH.

The threat is these being exploited to obtain the password by capturing the data in transit and re-using it, or simply initiating a new session for an unauthorized login to the device.

To supplement my previous post, you could implement deterrent & detective controls --- setting up a banner on the device, and configuring logging / alerts --- but I feel that if you can't use a preventive control in the 1st place, there's not much use in the others.

(Anyways, put it all in a report, and throw the ball in your management's court )

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

denbesten · ‎10-24-2019

@ericgeater wrote:
How would a replay attack work here? I think I've forgotten that... it's been a while.

I'm was being brief in my verbiage. I see three primary attack scenarios:

If somebody could insert themselves between you and your device, they could with a simple packet capture learn your password, which they could then later use to log themselves in. This is what I was calling a replay attack -- collecting and reusing part of your session.
A brute-force attack, wherein somebody repeatedly tries to login using a list of passwords. Length will help here, which is why I suggested "as long as supported".
An authentication-bypass attack whereby somebody finds/exploits a flaw in the modem that grants them non-credentialed access. Think Bobby Tables against the login page and you have the right idea.

And as you identified, the best solution is to not expose admin interfaces to the Internet.

If your goal is internet-based out-of-band management, I would suggest some sort of filter/ACL that only allows connections from your own source IP addresses.

ericgeater · ‎10-27-2019

I appreciate your follow-up answer, btw, because I was thinking more along "password capture" than "replay attack". To that end, thanks for the added detail.

I am going to take @Shannon's advice and get management to sign off. I didn't mention, by the way, that the next (and ONLY) item behind the modem is a firewall appliance. The modem only NATs traffic, and has no role or participation in the overall security.

Thanks for the replies, everyone.

-----------
A claim is as good as its veracity.