The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Alcatel SpeedTouch

vulnerability note CVE-2014-1677

Technicolor TC7200: information disclosure via GatewaySettings.bin

Synthesis of the vulnerability

An attacker can use GatewaySettings.bin of Technicolor TC7200, in order to obtain the administrator password.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: intranet client.
Creation date: 26/02/2014.
Identifiers: BID-65774, CVE-2014-1677, VIGILANCE-VUL-14314.

Description of the vulnerability

The Technicolor TC7200 product offers a web service.

The /goform/system/GatewaySettings.bin page can be used to download the configuration with no authentication. However, the password is stored in clear text in the downloaded file.

An attacker can therefore use GatewaySettings.bin of Technicolor TC7200, in order to obtain the administrator password.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-0621

Technicolor TC7200: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of Technicolor TC7200, in order to force the victim to perform operations.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 16/01/2014.
Identifiers: CVE-2014-0621, VIGILANCE-VUL-14102.

Description of the vulnerability

The Technicolor TC7200 product offers a web service.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of Technicolor TC7200, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2014-0620

Technicolor TC7200: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Technicolor TC7200, in order to execute JavaScript code in the context of the web site.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 06/01/2014.
Identifiers: CVE-2014-0620, VIGILANCE-VUL-14016, WLB-2014010017.

Description of the vulnerability

The Technicolor TC7200 product offers a web service.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Technicolor TC7200, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 11977

Thomson SpeedTouch ST780: script injection in the administration page

Synthesis of the vulnerability

An attacker can setup a DNS redirect, and then invite the victim to display the help page of Thomson SpeedTouch ST780, in order to execute JavaScript code in the context of the administration web service.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: intranet server.
Creation date: 25/09/2012.
Identifiers: VIGILANCE-VUL-11977, waraxe-2012-SA#090.

Description of the vulnerability

The administration interface of Thomson SpeedTouch ST780 uses an SSL/TLS encrypted session, so Man-in-the-Middle attacks cannot be used.

The help page of the administration interface includes a remote script:
  http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js
However, as the url does not use https, if the attacker redirects "downloads.thomson.net" to a malicious web site, the "anchors.js" script will be loaded from attacker's web site.

An attacker can therefore setup a DNS redirect, and then invite the victim to display the help page of Thomson SpeedTouch ST780, in order to execute JavaScript code in the context of the administration web service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11964

Technicolor Thomson TWG850-4: bypassing authentication

Synthesis of the vulnerability

An unauthenticated attacker can perform administration tasks on the Technicolor Thomson TWG850-4 modem.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 21/09/2012.
Identifiers: BID-55621, VIGILANCE-VUL-11964.

Description of the vulnerability

The Technicolor Thomson TWG850-4 modem can be administered via a web interface:
  http://s/goform/RgSecurity : reset password
  http://s/goform/RgSetup : change configuration
  http://s/goform/RgUrlBlock : block an url

However, access to these pages can be done directly, skipping the authentication phase.

An unauthenticated attacker can therefore perform administration tasks on the Technicolor Thomson TWG850-4 modem.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-4499 CVE-2011-4500 CVE-2011-4501

Technicolor SpeedTouch: internal port scanning via UPnP

Synthesis of the vulnerability

An internet attacker can use the UPnP feature of the Technicolor SpeedTouch modem, in order to alter its configuration.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 8.
Creation date: 25/11/2011.
Identifiers: BID-50810, CVE-2011-4499, CVE-2011-4500, CVE-2011-4501, CVE-2011-4502, CVE-2011-4503, CVE-2011-4504, CVE-2011-4505, CVE-2011-4506, VIGILANCE-VUL-11181, VU#357851.

Description of the vulnerability

The UPnP (Universal Plug and Play) technology is used to automatically configure a device, with no authentication.

Technicolor SpeedTouch modems use UPnP IGD (Internet Gateway Device), so a computer on the LAN can for example configure:
 - AddPortMapping : add a port to translate
 - DeletePortMapping : delete a port
 - etc.

However, some modems accept UPnP IGD queries coming from their WAN interface (internet).

An internet attacker can therefore use the UPnP feature of the Technicolor SpeedTouch modem, in order to alter its configuration. He can thus for example scan the internal network.
Full Vigil@nce bulletin... (Free trial)

vulnerability 7780

Speedtouch: predictable WPA keys

Synthesis of the vulnerability

An attacker can use the SSID to predict the default WPA key.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data reading.
Provenance: radio connection.
Creation date: 23/04/2008.
Identifiers: BID-28893, VIGILANCE-VUL-7780.

Description of the vulnerability

Thomson Speedtouch routers are provided with a WPA key depending on the serial number of their device.

The algorithm used to generate this key was published. If the serial number is "CP0615JT109 (53)":
 - the CP0615109 value is extracted
 - the last 3 characters are converted to hexadecimal: CP0615313039
 - a SHA-1 hash is applied on CP0615313039 to obtain 742da831d2b657fa53d347301ec610e1ebf8a3d0
 - the last 6 characters are used for the SSID: SpeedTouchF8A3D0
 - the first 8 characters are used for the WPA key: 742DA831D2

With the full range of serial numbers, the attacker correlates the SSID and the WPA. For example, the SpeedTouchF8A3D0 SSID is associated to only two keys.

An attacker can thus guess the WPA key to access to victim's data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 7336

Thomson SpeedTouch: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thomson SpeedTouch permit an attacker to create Cross Site Scripting attacks or to elevate his privileges.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: privileged access/rights, client access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/11/2007.
Identifiers: BID-25972, BID-26808, VIGILANCE-VUL-7336.

Description of the vulnerability

Several vulnerabilities were announced in Thomson SpeedTouch.

The modem does not handle CSRF attacks. [severity:2/4]

An attacker can create several Cross Site Scripting attacks. [severity:2/4]

An attacker can use a double slash to bypass authentication. [severity:2/4]

An attacker can access to advanced features without entering a password. [severity:2/4]

An attacker can access to saved features. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-0947

SpeedTouch: Cross Site Scripting

Synthesis of the vulnerability

The "name" parameter of LocalNetwork page can be used to conduct a Cross Site Scripting attack.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/02/2006.
Identifiers: BID-16839, CVE-2006-0947, VIGILANCE-VUL-5655.

Description of the vulnerability

The SpeedTouch modem has a web administration interface.

The local network interface (LocalNetwork) web page uses a "name" parameter. This parameter is displayed without being sanitized.

An attacker can therefore create a malicious url and invite user to connect to administrative interface. The JavaScript code contained in the clicked link will be run in the modem's context.

This vulnerability thus permits attacker to execute administrative tasks, when user clicks on the link.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 4518

Corruption du cache DNS du modem

Synthesis of the vulnerability

Un attaquant du réseau local peut envoyer une requête DHCP afin d'ajouter une entrée dans le cache DNS.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: LAN.
Creation date: 15/11/2004.
Identifiers: BID-11664, V6-SPEEDTOUCHDHCPDNS, VIGILANCE-VUL-4518.

Description of the vulnerability

Le modem Speed Touch Pro dispose d'un serveur DNS et d'un serveur DHCP.

Lorsque le serveur DNS reçoit une requête de mise à jour dynamique, dont le nom de machine est déjà dans le cache, il la refuse.

Cependant, si le serveur DHCP reçoit une requête dont le nom de machine est déjà employé, il l'accepte. Le serveur DHCP possède alors deux entrées : l'entrée valide et l'entrée dont l'adresse IP est usurpée.

Comme le serveur DNS se met ensuite à jour à partir des données du serveur DHCP, le serveur DNS est alors automatiquement corrompu.

Pour mettre en oeuvre cette attaque, l'attaquant doit la mener avant la mise en place d'entrées DNS statiques, ou inciter l'administrateur à purger le cache. En effet, le serveur DNS ne retourne toujours que la première entrée.

Cette vulnérabilité permet donc à un attaquant interne d'usurper l'une des machines du réseau.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.