Security of CPE Management Protocols Patrick Sattler, B. Sc. - - PowerPoint PPT Presentation

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Security of CPE Management Protocols

Patrick Sattler, B. Sc. Advisor: Oliver Gasser, M. Sc.

April 20, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Contents

Motivation Network Management Protocols TR-069 Architecture and Specification Threat Model Known Attacks and Incidents Bibliography

P . Sattler – Security of CPE Management Protocols 2

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Motivation

• Easy remote configuration
• ISPs use these protocols for CPEs
• Little research on its security
• Recent discovered vulnerabilities
• DTAG incident

P . Sattler – Security of CPE Management Protocols 3

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Network Management Protocols

Main Functionalities

• Configuration Management
• Performance Management
• Fault Management
• Security Management
• Accounting Management

P . Sattler – Security of CPE Management Protocols 4

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Network Management Protocols

• Simple Network Management Protocol
• v1 published in 1988 (RFC 1067)
• De-facto standard for LAN network management
• Only v3 provides optional secure communication and authentication
• Transport protocol: UDP
• Common Management Information Protocol (CMIP)
• Alternative to SNMP
• Standardized in 1991; Predecessor of TR-069
• TR-069 — CPE WAN Management Protocol (CWMP)
• Specified in TR-069 [1] by the Broadband Forum
• De-facto standard for ISPs network management
• Transport protocol: TCP
• SSL/TLS is optional, authentication is required
• RPC with SOAP over HTTP

P . Sattler – Security of CPE Management Protocols 5

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Network Management Protocols

• NETCONF
• Standard proposed by IETF in 2006 (RFC 4741)
• RPC with XML (YANG) over TLS/SSH
• Secure communication is required
• Any connection oriented protocol allowed
• RESTCONF
• Successor of NETCONF
• Uses RESTful paradigms
• RPC with JSON (YANG) over HTTP over TLS

P . Sattler – Security of CPE Management Protocols 6

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Why focus on TR-069?

• 2nd most open port: TCP/7547 (TR-069 default port) [2]
• 46M IP addresses at last scan (April 5th, 2017)
• Few research available [3]

P . Sattler – Security of CPE Management Protocols 7

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

TR-069 Protocol Stack

RPC SOAP HTTP SSL/TLS TCP/IP SSL/TLS

Figure 1: TR-069 Protocol Stack

P . Sattler – Security of CPE Management Protocols 8

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

TR-069 Architecture

• Auto-Configuration Server (ACS) → the Controller
• Normally one per provider
• Gets configuration and commands from other infrastructure
• CPEs → the managed devices
• Either preconfigured ACS URLs or ACS discovery
• CPE initiates all sessions to ACS
• ACS can trigger session initiation (Connection Request)

P . Sattler – Security of CPE Management Protocols 9

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

TR-069 Architecture

ACS CPE

Call Center Manged LAN devices Different Databases e.g. Policy, Billing, ...

CPE
 Management P . Sattler – Security of CPE Management Protocols 10

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

TR-069 Functionalities

• Discover all available device functions (RPC calls)
• Get and Set configuration data (e.g., provisioning)
• Get devices status data
• Perform measurement and diagnosis
• Download and update Soft-Firmware

P . Sattler – Security of CPE Management Protocols 11

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

TR-069 Session

CPE ACS

establish TCP Connection

• ptional

SSL handshake

Inform Request Inform Response Empty Request Get/Set Values Request

HTTP POST HTTP Response HTTP POST HTTP Response

Get/Set Values Response

HTTP POST

Empty Response

HTTP Response

Connection Teardown

Figure 3: A session example for TR-069

P . Sattler – Security of CPE Management Protocols 12

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Threat Model

• SSL/TLS
• Usage of SSL/TLS is only suggested
• TLS 1.2 is suggested for TR-069 1.4
• SSL 3.0 and TLS 1.0 support is required
• SSL/TLS downgrade required (SCSV was standardized only in 2015)
• Without TLS:
• No confidentiality, authenticity, and data integrity
• Every message can be eavesdropped, forged, modified, and re-

played

P . Sattler – Security of CPE Management Protocols 13

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Threat Model

• Mandatory to support old protocol versions (all back to 1.0 from

2006)

• No checksum control for downloads (also firmware updates!)
• Download server could be compromised
• DNS hijacking to point to the attacker’s server
• ACS is single point of failure

P . Sattler – Security of CPE Management Protocols 14

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Known Attacks

ACS vulnerabilities

• Exploit ACS = ISP fleet takeover
• Tal et al. [3] graded ACS vendors age as from the 90s
• Analyzed OpenACS (Java) and GenieACS (node.js)
• RCE on both after 3 day analysis
• Authentication bypass, SQL injection, RCE, and DoS vulnerability
• n ACS from undisclosed vendor
• Proof of concept on real providers ACS with 500k connected de-

vices

P . Sattler – Security of CPE Management Protocols 15

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Known Attacks

CPE vulnerabilities

• Attack SOHO router from LAN to change ACS
• Tal et al. [5] presented three vulnerabilities at 31c3 (2014)
• TR-069 runs a HTTP Server on 7547 for Connection Requests
• 52% use RomPager as HTTP Server
• 97% of them have version 4.07 (from 2002)
• Zynos from ZyXEL includes RomPager 4.07

P . Sattler – Security of CPE Management Protocols 16

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

RomPager 4.07 Vulnerabilities

• Overflowing HTTP digest authentication username
• Overwrite function pointer (RCE)
• Memory mapping is to diverse for large scale attacks
• Three concurrent requests overwrite the HTTP handler structure
• RCE vulnerability
• Works only on port 80 (not relevant for TR-069)
• Misfortune Cookie [6]

P . Sattler – Security of CPE Management Protocols 17

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Misfortune Cookie

• Zynos has no dynamic memory allocation
• RomPager allocates an array with length 10 for cookies
• Cookies are named C0, C1, . . . , C9
• Searches for an initial capital “C”
• Rest of the name is index of array
• Enables writing relative from a fixed point (RCE)
• Worked on any model from any brand
• Fixed version was provided in 2005 (9 years earlier than the re-

search!)

P . Sattler – Security of CPE Management Protocols 18

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

DTAG incident

• November 28 - 29: outage of 900k Speedport routers [7]
• Mirai botnet targeted a vulnerability in TR-064 [8]
• Uses the same TCP port as TR-069
• Command injection vulnerability in NTP field
• Routers from Irish provider were vulnerable
• Some assumed a bug in the attacker’s code [9]

P . Sattler – Security of CPE Management Protocols 19

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

DTAG incident

• Weinmann found a DoS vulnerability to be responsible [7]
• DTAGs short term solution was blocking port 7547
• Speedport routers were not vulnerable against NTP vulnerability
• Weinmann found also other vulnerabilities in TR-069 (not disclosed)
• DTAG claims that TR-069 is secure amongst others because of a

device dependent password [10]

• Still they parsed requests from other sources than the configured

ACS

P . Sattler – Security of CPE Management Protocols 20

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

Conclusion

• ISPs and Router manufactures do not take security seriously [11]
• Routers vulnerable to Misfortune Cookie still in 2016 [12]
• TR-069 should be more protected (with firewalls, ACLs, or VLANs)
• ISPs need to take responsibility
• More research into TR-069s security needed

P . Sattler – Security of CPE Management Protocols 21

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

[1]

• J. Berstein, T. Spets, et al., “TR-069: CPE WAN Management Protocol,” Techni-

cal Report 069, 2004. [2] “Internet-Wide Scan Data Repository.” https://scans.io, 2017. [Online; accessed 12-April-2017]. [3]

• S. Tal and L. Oppenheim, “I Hunt TR-069 Admins: Pwning ISPs Like a Boss,”

DEF CON 22, 2014. [4]

• J. Berstein, T. Spets, et al., “TR-069: CPE WAN Management Protocol Amend-

ment 5,” Technical Report 069, 2013. [5]

• S. Tal and L. Oppenheim, “Too Many Cooks - Exploiting the Internet-of-TR-069-

Things,” 31c3: a new dawn, 2014. [6] “Misfortune Cookie.” http://mis.fortunecook.ie/, 2014. [Online; accessed 8-April-2017].

P . Sattler – Security of CPE Management Protocols 22

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

[7] “Were 900K Detsche Telekom Routers Compromised by Mirai?.” https://comsecuris.com/blog/posts/were_900k_deutsche _telekom_routers_compromised_by_mirai/, 2016. [Online; accessed 6-April-2017]. [8] “Eir’s D1000 Modem Is Wide Open To Being Hacked..” https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-

• pen-to-being-hacked/, 2016.

[Online; accessed 6-April-2017]. [9] “TR-069, die Telekom, und das was wirklich geschah.” http://www.linus- neumann.de/2016/11/30/warum-die-telekom-router-ausgefallen-sind/, 2016. [Online; accessed 6-April-2017]. [10] “Mythos

• ffene

Schnittstelle: Was wirklich geschah.” https://www.telekom.com/de/medien/details/mythos-offene-schnittstelle-was- wirklich-geschah-445232, 2016. [Online; accessed 6-April-2017].

P . Sattler – Security of CPE Management Protocols 23

Chair of Network Architectures and Services Department of Informatics Technical University of Munich

[11] S. Tal and L. Oppenheim, “The Internet of TR-069 Things: One Exploit to Rule Them All,” RSAConference 2015, 2015. [12] “Eir P-660HW-T1 Vulnerability..” https://devicereversing.wordpress.com/2016/11/19/eir- p-660hw-t1-remote-vulnerability-2/, 2016. [Online; accessed 9-April-2017].

P . Sattler – Security of CPE Management Protocols 24