The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Thomson SpeedTouch

computer vulnerability announce 11977

Thomson SpeedTouch ST780: script injection in the administration page

Synthesis of the vulnerability

An attacker can setup a DNS redirect, and then invite the victim to display the help page of Thomson SpeedTouch ST780, in order to execute JavaScript code in the context of the administration web service.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: privileged access/rights.
Provenance: intranet server.
Creation date: 25/09/2012.
Identifiers: VIGILANCE-VUL-11977, waraxe-2012-SA#090.

Description of the vulnerability

The administration interface of Thomson SpeedTouch ST780 uses an SSL/TLS encrypted session, so Man-in-the-Middle attacks cannot be used.

The help page of the administration interface includes a remote script:
  http://downloads.thomson.net/telecom/documentation/common/STFEH/R744/RES/en/anchors.js
However, as the url does not use https, if the attacker redirects "downloads.thomson.net" to a malicious web site, the "anchors.js" script will be loaded from attacker's web site.

An attacker can therefore setup a DNS redirect, and then invite the victim to display the help page of Thomson SpeedTouch ST780, in order to execute JavaScript code in the context of the administration web service.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 11964

Technicolor Thomson TWG850-4: bypassing authentication

Synthesis of the vulnerability

An unauthenticated attacker can perform administration tasks on the Technicolor Thomson TWG850-4 modem.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 21/09/2012.
Identifiers: BID-55621, VIGILANCE-VUL-11964.

Description of the vulnerability

The Technicolor Thomson TWG850-4 modem can be administered via a web interface:
  http://s/goform/RgSecurity : reset password
  http://s/goform/RgSetup : change configuration
  http://s/goform/RgUrlBlock : block an url

However, access to these pages can be done directly, skipping the authentication phase.

An unauthenticated attacker can therefore perform administration tasks on the Technicolor Thomson TWG850-4 modem.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-4499 CVE-2011-4500 CVE-2011-4501

Technicolor SpeedTouch: internal port scanning via UPnP

Synthesis of the vulnerability

An internet attacker can use the UPnP feature of the Technicolor SpeedTouch modem, in order to alter its configuration.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: data flow.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 8.
Creation date: 25/11/2011.
Identifiers: BID-50810, CVE-2011-4499, CVE-2011-4500, CVE-2011-4501, CVE-2011-4502, CVE-2011-4503, CVE-2011-4504, CVE-2011-4505, CVE-2011-4506, VIGILANCE-VUL-11181, VU#357851.

Description of the vulnerability

The UPnP (Universal Plug and Play) technology is used to automatically configure a device, with no authentication.

Technicolor SpeedTouch modems use UPnP IGD (Internet Gateway Device), so a computer on the LAN can for example configure:
 - AddPortMapping : add a port to translate
 - DeletePortMapping : delete a port
 - etc.

However, some modems accept UPnP IGD queries coming from their WAN interface (internet).

An internet attacker can therefore use the UPnP feature of the Technicolor SpeedTouch modem, in order to alter its configuration. He can thus for example scan the internal network.
Full Vigil@nce bulletin... (Free trial)

vulnerability 7780

Speedtouch: predictable WPA keys

Synthesis of the vulnerability

An attacker can use the SSID to predict the default WPA key.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data reading.
Provenance: radio connection.
Creation date: 23/04/2008.
Identifiers: BID-28893, VIGILANCE-VUL-7780.

Description of the vulnerability

Thomson Speedtouch routers are provided with a WPA key depending on the serial number of their device.

The algorithm used to generate this key was published. If the serial number is "CP0615JT109 (53)":
 - the CP0615109 value is extracted
 - the last 3 characters are converted to hexadecimal: CP0615313039
 - a SHA-1 hash is applied on CP0615313039 to obtain 742da831d2b657fa53d347301ec610e1ebf8a3d0
 - the last 6 characters are used for the SSID: SpeedTouchF8A3D0
 - the first 8 characters are used for the WPA key: 742DA831D2

With the full range of serial numbers, the attacker correlates the SSID and the WPA. For example, the SpeedTouchF8A3D0 SSID is associated to only two keys.

An attacker can thus guess the WPA key to access to victim's data.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 7336

Thomson SpeedTouch: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Thomson SpeedTouch permit an attacker to create Cross Site Scripting attacks or to elevate his privileges.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: privileged access/rights, client access/rights.
Provenance: user account.
Number of vulnerabilities in this bulletin: 5.
Creation date: 12/11/2007.
Identifiers: BID-25972, BID-26808, VIGILANCE-VUL-7336.

Description of the vulnerability

Several vulnerabilities were announced in Thomson SpeedTouch.

The modem does not handle CSRF attacks. [severity:2/4]

An attacker can create several Cross Site Scripting attacks. [severity:2/4]

An attacker can use a double slash to bypass authentication. [severity:2/4]

An attacker can access to advanced features without entering a password. [severity:2/4]

An attacker can access to saved features. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2006-0947

SpeedTouch: Cross Site Scripting

Synthesis of the vulnerability

The "name" parameter of LocalNetwork page can be used to conduct a Cross Site Scripting attack.
Impacted products: SpeedTouch.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 28/02/2006.
Identifiers: BID-16839, CVE-2006-0947, VIGILANCE-VUL-5655.

Description of the vulnerability

The SpeedTouch modem has a web administration interface.

The local network interface (LocalNetwork) web page uses a "name" parameter. This parameter is displayed without being sanitized.

An attacker can therefore create a malicious url and invite user to connect to administrative interface. The JavaScript code contained in the clicked link will be run in the modem's context.

This vulnerability thus permits attacker to execute administrative tasks, when user clicks on the link.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 4518

Corruption du cache DNS du modem

Synthesis of the vulnerability

Un attaquant du réseau local peut envoyer une requête DHCP afin d'ajouter une entrée dans le cache DNS.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data creation/edition.
Provenance: LAN.
Creation date: 15/11/2004.
Identifiers: BID-11664, V6-SPEEDTOUCHDHCPDNS, VIGILANCE-VUL-4518.

Description of the vulnerability

Le modem Speed Touch Pro dispose d'un serveur DNS et d'un serveur DHCP.

Lorsque le serveur DNS reçoit une requête de mise à jour dynamique, dont le nom de machine est déjà dans le cache, il la refuse.

Cependant, si le serveur DHCP reçoit une requête dont le nom de machine est déjà employé, il l'accepte. Le serveur DHCP possède alors deux entrées : l'entrée valide et l'entrée dont l'adresse IP est usurpée.

Comme le serveur DNS se met ensuite à jour à partir des données du serveur DHCP, le serveur DNS est alors automatiquement corrompu.

Pour mettre en oeuvre cette attaque, l'attaquant doit la mener avant la mise en place d'entrées DNS statiques, ou inciter l'administrateur à purger le cache. En effet, le serveur DNS ne retourne toujours que la première entrée.

Cette vulnérabilité permet donc à un attaquant interne d'usurper l'une des machines du réseau.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2004-0834

Attaque par format du driver GPL

Synthesis of the vulnerability

Le driver GPL du modem SpeedTouch est sensible à une attaque par format.
Impacted products: Mandriva Linux, SpeedTouch.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: intranet client.
Creation date: 01/10/2004.
Revision date: 12/11/2004.
Identifiers: BID-11496, CVE-2004-0834, MDKSA-2004:130, V6-SPEEDTOUCHDRIVERFMT, VIGILANCE-VUL-4423.

Description of the vulnerability

Le modem SpeedTouch est fourni avec des drivers Alcatel/Thomson. Une implémentation GPL (logiciel libre) de ce driver est aussi disponible indépendamment.

La fonction syslog() journalise les évènements du système. Son prototype est le suivant :
  void syslog(int priority, char *format, ...);

Cependant, cette fonction est appelée sans paramètre de formatage par modem_run, pppoa2 et pppoa3.

Un attaquant peut alors utiliser des données illicites dans le but de provoquer une attaque par format dans le driver GPL. Elle permet de mener un déni de service ou de faire exécuter du code sur la machine.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2004-0641

Prédictibilité des ISN TCP

Synthesis of the vulnerability

Un attaquant peut prédire les numéros initiaux de séquence TCP afin d'usurper des sessions.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 06/08/2004.
Identifiers: BID-10881, CVE-2004-0641, V6-SPEEDTOUCHTCPISN, VIGILANCE-VUL-4321.

Description of the vulnerability

Le protocole TCP s'initie par un handshake caractérisé par deux numéros de séquence initiaux :
 - le client envoie un SYN avec un seqnum choisi
 - le serveur acquitte le seqnum du client et choisit un seqnum
 - le client acquitte le seqnum du serveur

Dans le cas où le numéro de séquence du serveur serait prédictible, un attaquant pourrait usurper une session TCP en aveugle, c'est à dire sans avoir le retour de ses paquets.

Le numéro de séquence sur les modems SpeedTouch s'incrémente de 64000 tous les dixièmes de seconde. Un attaquant peut donc les prédire.

Cette vulnérabilité permet à un attaquant distant d'usurper une session TCP, et ainsi contourner la politique de sécurité mise en place.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 4286

Vulnérabilité de DHCP sur Speed Touch

Synthesis of the vulnerability

Le serveur DHCP du modem Alcatel Speed Touch comporte une vulnérabilité.
Impacted products: SpeedTouch.
Severity: 1/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: intranet client.
Creation date: 19/07/2004.
Identifiers: V6-SPEEDTOUCHDHCP, VIGILANCE-VUL-4286.

Description of the vulnerability

Le serveur DHCP du modem Alcatel Speed Touch assigne automatiquement une adresse IP aux utilisateurs du réseau interne.

Une vulnérabilité a été annoncée dans cette implémentation de DHCP. Ses détails techniques ainsi que ses conséquences ne sont pas actuellement connus.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.