Advisory: o2/Telefonica Germany: ACS Discloses VoIP/SIP Credentials The o2 Auto Configuration Server (ACS) discloses VoIP/SIP credentials of arbitrary customers when receiving manipulated CWMP packets. These credentials can then be used by an attacker to register any VoIP number of the victim. This enables the attacker to place and receive calls on behalf of the attacked user. Details ======= Product: o2 DSL Auto Configuration Server Vulnerability Type: Information Disclosure Security Risk: high Vendor URL: https://o2online.de/ Vendor Status: fixed Advisory URL: http://ift.tt/1VP0lBm Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: http://ift.tt/1jQGmEN Introduction ============ TR-069 (Technical Report 069) is a Broadband Forum technical specification entitled "CPE WAN Management Protocol" (CWMP). It defines an application layer protocol for remote management of end-user devices. (from Wikipedia) A more technical introduction to TR-069 can be found in a deck of slides which the Interoperability Laboratory at the University of New Hampshire has published on that topic [0]. More Details ============ The German Internet Service Provider o2 uses the TR-069 protocol for the provisioning of Customer Premises Equipment (CPE). Among other settings, VoIP/SIP credentials are transferred and VoIP telephony is set up. In our setup, an AVM FRITZ!Box 7490 was monitored during the initial autoconfiguration process. During that process, several CWMP messages are exchanged. These CWMP messages are transferred via HTTPS as SOAP requests and replies. The HTTPS connection is always established by the CPE which connects to the Auto Configuration Server (ACS). According to the CWMP, the CPE may do so on the occasion of several events, including, but not limited to: * BOOTSTRAP - first contact between CPE and ACS * BOOT - when CPE has rebooted * PERIODIC - after a period of time, defined by the ACS * CONNECTION REQUEST - ACS signals a connection request to the CPE via a second HTTP channel The "CONNECTION REQUEST" is the only event that can be triggered by the ACS. To do so, the ACS establishes an unencrypted HTTP connection to the CPE and authenticates via HTTP basic access authentication with a "ConnectionRequestUsername" and a "ConnectionRequestPassword". No further data is exchanged on that channel. Once the CPE has verified the credentials, it then initiates the real CWMP conversation by sending a CWMP-Inform message to the pre-defined ACS. The connection initiated by the CPE is TLS-secured and the CPE provides a username (ManagementServer.Username) and a password (ManagementServer.Password) to authenticate itself towards the ACS. A typical CWMP conversation (including the "CONNECTION REQUEST" event) is depicted below:
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment