############################################################# # # SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security # ############################################################# # # CVE ID: CVE-2015-6498 # Product: Home Device Manager # Vendor: Alcatel-Lucent # Subject: Code vulnerability, remotely exploitable # Finder: Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne # Coord: Philippe Cuany (csirt _at_ swisscom.com) # Date: Nov 02nd 2015 # ############################################################# Description ----------- A vulnerability has been discovered in the TR069 protocol that can potentially affect all Automatic Configuration Servers (ACS). The issue has been fixed in the Home Device Manager (HDM) product from Alcatel-Lucent with an anti-spoofing filter. HDM allows service providers to remotely manage CPEs, such as residential gateways, IP set-top boxes, and VoIP terminal adapters that comprise a home networking environment. Product ------- Alcatel-Lucent Home Device Manager, version prior to 4.1.10 may be affected if they have no filtering in place, which was provided as a customer specific extension already by Alcatel-Lucent, or have foreseen other additional authorization checks. Vulnerability ------------- The vulnerability allows an attacker to perform impersonation attacks by spoofing CPE using tr-069 (cwmp) Protocol. An attacker could gain unauthorized access to third-party SIP Credentials for the spoofed device and perform illegal activities (phone fraud). The vulnerability has been tested and confirmed. Remediation ----------- Update to Home Device Manager Version 4.1.10 (or higher) or 4.2.2 (or higher) and activate the anti-spoofing filters, in case there is not already a customer specific filter or authorization check in place. Acknowledgments --------------- Dr. Ulrich Fiedler and his team at BFH-TI Biel/Bienne for the discovery and notification about the vulnerability. Milestones ---------- Jul 13th 2015 Details about the vulnerability are communicated to Swisscom Jul 14th 2015 HDM anti-spoffing filter available Aug 13th 2015 CVE ID requested at MITRE Aug 18th 2015 CVE ID 2015-6498 assigned by MITRE Nov 02nd 2015 Public Release of Advisory