Public Vulnerability Reports

Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router

06.11.03

BACKGROUND

SMC Networks' Barricade Wireless Cable/DSL Broadband Router, version SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point, Stateful Packet Inspection (SPI) firewall security, network management, and Virtual Private Network (VPN) passthrough support into one convenient device." More information is available at http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si
te=c .

DESCRIPTION

The SMC7004VWBR crashes when a specially formatted series of packets are sent to TCP port 1723 (PPTP) on its internal interface. Following the attack, the router remains unresponsive to requests on the wireless portions of the connected LAN, thus preventing users from accessing network resources.

ANALYSIS

By default, the router is listening on TCP port 1723. A default configuration includes enabled wireless access and a DHCP server. Therefore, if appropriate steps have not been taken to secure the device, it is trivial for a remote attacker to conduct the DoS attack by connecting to a targeted network using an 802.11b wireless network
interface card.

DETECTION

Barricade Wireless Router, version SMC7004VWBR, is affected. The vulnerability is confirmed to exist on the following configuration, with previous versions of the firmware suspected as well:

Runtime Code Version: v1.20 (Nov 15 2002 22:08:48)
Boot Code Version: V1.06
Hardware Version: 01

WORKAROUND

A hard reset is required to restore normal functionality. This requires physical access to the router and can be accomplished by either unplugging the router or by using the reset button located on the back of the router. Remotely restoring normal functionality by using the web-based administrative console is not possible due to the DoS, even from hosts physically connected to the router itself.

VENDOR RESPONSE

SMC Networks has released firmware version 1.23 which fixes this vulnerability. It is available for download at http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&site=c#downloads .

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0419 to this issue.

DISCLOSURE TIMELINE

04/15/2003       Issue disclosed to SMC Networks (security@smc.com)
04/15/2003       iDEFENSE clients notified
04/15/2003       Response from olivier@smc-mail.com
04/21/2003       Response from Brian Larsen, Barricade Product Manager
04/30/2003       Response from Brian Larsen
06/10/2003       Firmware 1.23 provided by SMC to iDEFENSE for testing
06/11/2003       Coordinated Public Disclosure

CREDIT

Michael Sutton (msutton@idefense.com) is credited with discovering this vulnerability.