############################################################# # # SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security # ############################################################# # # CVE ID: CVE-2016-10042 # Product: Swisscom Internet-Box (plus, standard, light) # Vendor: Arcadyan # Subject: Authorization Bypass # Finder: Mateusz Khalil (mateusz.khalil _at_ compass-security.com) # Coord: Florian Badertscher (csirt _at_ swisscom.com) # Date: Jan 6th 2017 # ############################################################# Description ----------- A authorization vulnerability has been identified in the router management web interface provided by the Arcadyan Swisscom routers (Internet-Box). Product ------- All Star* platforms prior to R7.7 and R8 are affected. Vulnerability ------------- This vulnerability enables an adversary to reconfigure the routing table. As a result, it is possible to access/add/modify the list of static routes as an unauthenticated user. Arbitrary internal or external IPs can be specified as the next hop leading to Man-in-the-Middle attacks. Remediation ----------- Update the Swisscom router (Internet-Box) firmware to the most recent version. Validate the router configuration with respect to malicious static routes. Milestones ---------- Oct 21st 2016 Details communicated with Swisscom CSIRT Dec 15th 2016 Vulnerability confirmed by the manufacturer Dec 15th 2016 Patch rolled out Dec 16th 2016 CVE id requested (MITRE) Apr 26th 2017 Advisory published