-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 06.11.03:
http://www.idefense.com/advisory/06.11.03.txt
Denial of Service Vulnerability in SMC Networks' Barricade Wireless
Router
June 11, 2003

I. BACKGROUND

SMC Networks' Barricade Wireless Cable/DSL Broadband Router, version
SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with
Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point,
Stateful Packet Inspection (SPI) firewall security, network management,
and Virtual Private Network (VPN) passthrough support into one
convenient device." More information is available at
http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si
te=c .

II. DESCRIPTION

The SMC7004VWBR crashes when a specially formatted series of packets
are sent to TCP port 1723 (PPTP) on its internal interface. Following
the attack, the router remains unresponsive to requests on the wireless
portions of the connected LAN, thus preventing users from accessing
network resources.

III. ANALYSIS

By default, the router is listening on TCP port 1723. A default
configuration includes enabled wireless access and a DHCP server.
Therefore, if appropriate steps have not been taken to secure the
device, it is trivial for a remote attacker to conduct the DoS attack
by connecting to a targeted network using an 802.11b wireless network
interface card.

IV. DETECTION

Barricade Wireless Router, version SMC7004VWBR, is affected. The
vulnerability is confirmed to exist on the following configuration,
with previous versions of the firmware suspected as well:

Runtime Code Version: v1.20 (Nov 15 2002 22:08:48)
Boot Code Version: V1.06
Hardware Version: 01

V. RECOVERY

A hard reset is required to restore normal functionality. This requires
physical access to the router and can be accomplished by either
unplugging the router or by using the reset button located on the back
of the router. Remotely restoring normal functionality by using the
web-based administrative console is not possible due to the DoS, even
from hosts physically connected to the router itself.

VI. WORKAROUND

The router provides various security controls, one of which allows an
administrator to restrict network access via the router only to hosts
with authorized MAC addresses. By hard-coding authorized MAC addresses,
an attacker would have to spoof a legitimate MAC address to conduct the
attack. While this measure does not prevent the attack, it does
increase the complexity of conducting an attack, thus reducing the
likelihood of somebody undertaking such a venture.

VII. VENDOR FIX

SMC Networks has released firmware version 1.23 which fixes this
vulnerability. It is available for download at
http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si
te=c#downloads .

VIII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0419 to this issue.

IX. DISCLOSURE TIMELINE

15 APR 2003      Issue disclosed to SMC Networks (security@smc.com)
15 APR 2003      iDEFENSE clients notified
15 APR 2003      Response from olivier@smc-mail.com
21 APR 2003      Response from Brian Larsen, Barricade
                 Product Manager
30 APR 2003      Response from Brian Larsen
10 JUN 2003      Firmware 1.23 provided by SMC to iDEFENSE
                 for testing
11 JUN 2003      Coordinated Public Disclosure

X. CREDIT

Michael Sutton (msutton@idefense.com) is credited with discovering this
vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPueT8frkky7kqW5PEQIpYACfXUproAwxaKYB7AeOKa5unfWdqokAnRi9
GP6+cBLAMyZA4vBIXigrztVU
=vbiG
-----END PGP SIGNATURE-----


To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject.