############################################################# # # SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security # ############################################################# # # CVE ID: CVE-2015-1188 # Product: Swisscom DSL Router Centro Grande (ADB) # Vendor: ADB # Subject: Incorrect authentication, remotely exploitable # Finder: Ivan Almuina (ivan.almuina _at_ hackingcorp.ch) # Coord: Philippe Cuany (csirt _at_ swisscom.com) # Date: April 29th 2015 # ############################################################# Description ----------- A vulnerability has been discovered that affects the certificate verification functions provided by the HNDS service found on the Centro Grande (ADB version) DSL routers of Swisscom. Product ------- Firmwares up to version 6.12.02 are affected. Vulnerability ------------- The flaw allows an attacker to have access to management functions that are normally reserved for the Swisscom support. Furthermore, this vulnerability combined with other vulnerabilities allow to completely compromise the Centro Grande (ADB) routers. Available Proof-of-Concept code enables a remote root shell on a victim's router. Remediation ----------- Update the firmware to version 6.14.00. By default the Centro Grande routers should update themselves automatically. The current version can be verified through the web management interface, under Settings => Router => Firmware section. The version 6.14.00 should be installed. If it is not the case, the update can be forced cliking on the button labeled "Check for upgrade". Alternatively, the firmware can be downloaded from the following page: https://www.swisscom.ch/en/residential/help/device/internet-router/centro-grande.html Swisscom customers may call the Swisscom-Hotline 0800 800 800 Acknowledgments --------------- Ivan Almuina from Hacking Corporation Sàrl (http://hackingcorp.ch/) for the discovery, the notification and for helping us to fix the vulnerability. Milestones ---------- Sep 23th 2014 Vulnerability reported to Swisscom CSIRT Jan 7th 2015 CVE ID requested at MITRE Jan 18th 2015 CVE ID 2015-1188 assigned by MITRE Apr 29th 2015 Public Release of Advisory