<<< Date Index >>>     <<< Thread Index >>>

Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

after unsuccessfully attempting to find contact information of anyone who can address or correct this, here's a public disclosure.

Vulnerability Name
  Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability

Overview
the UTStarcom iAN-02EX is a VoIP ATA currently being used by Lingo (and other VoIP providers?). this advisory is specific to the configuration of the iAN-02EX device as currently shipped by Lingo, and may or may not apply to other configurations of the device. the default configuration leaves the ATA vulnerable to unauthorized remote access.

Description
using the default password, a remote attacker may access the device via the WAN port. this problem is compounded by Lingo's recommendation that the device should be placed between a broadband modem and router ("recommended method"). this configuration makes the ATA's WAN port accessible from the public internet.

Impact
an attacker may cause a denial of service for voice and/or data traffic. an attacker may gain access to a customers speed-dial list and modify that list (this may be particularly dangerous if the attacker is a scorned ex-lover or overzealous admirer). an attacker may gain gain access to other areas of the LAN behind the ATA (by specifying it as a DMZ or port forwarding). an attacker may change the default password (the ATA doesn't appear to have a customer accessible hardware reset, which could compound a password problem). an attacker may cause other havoc for the VoIP customer.

Solution
this vulnerability can be mitigated by not allowing login access via WAN. at the very least this feature should be disabled by default. ideally access via the WAN port should require that the default password is changed.

References
  http://www.utstar.com/Solutions/CPE/VoIP_CPE/
  http://www.utstar.com/Solutions/Document_Library/CPE/docs/SS_UTiAN02EX.pdf
  http://www.lingosupport.com/
  http://www.lingosupport.com/install_multi_01.html


- -- ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

        "Your password must be at least 18770 characters and
         cannot repeat any of your previous 30689 passwords.
         Please type a different password. Type a password
         that meets these requirements in both text boxes."
                -- Microsoft takes security seriously in
                Knowledge Base Article Q276304.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJCK/Y8AAoJEAx/d+cTpVcieigH/2tclaF4CvkvQfgdOt3emrcT
XZK2a3K3gx9p1Cdy5pbXYSN+oh9EvV+LadYljASxl0IV1Kn32OZQMLJbfRTjJHf5
XaU4HIFS2n8Q/+HSVfOQCCOb1RAulD7Hpgj+/omh9kS4dHQdHJ3jBwQe9NCqF8M4
DG/H5uzB3SFuzDQemYuZOh5qnqNxUsI5TiTXAzww31tuR240sABiwGDB8eurEub3
+FWXcj9ytWMGdbk+Jq+J4MR1dDzv+pcK7cSQHUiEKtUJp0XrfyMJpgxMGxPFHWX9
T+8qM1lJw+7DNsSih6TY0OGRygVZezPpgPKZY0dDJpRvw651McQi+klWCeQU30c=
=VsqM
-----END PGP SIGNATURE-----