[TriLUG] open ports on Uverse 2wire gateway -- revisited

James Jones jc.jones at tuftux.com
Tue Feb 4 09:46:29 EST 2014


alan,

I have to put stock in Security Metrics assessment, when the company
fails their scan, they are not considered compliant for credit card
processing, even though they don't process any credit cards over the
internet, they do store credit cards on their computer. They believe
that poses a liability issue if they were penetrated.

I believe Sec.Met's assessment is valid since they provide the
following information.

 CVE-2009-3555 as the vulnerability.

From: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

"The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in
the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, multiple Cisco products, and other products, does
not properly associate renegotiation handshakes with an existing
connection, which allows man-in-the-middle attackers to insert data
into HTTPS sessions, and possibly other types of sessions protected by
TLS or SSL, by sending an unauthenticated request that is processed
retroactively by a server in a post-renegotiation context, related to
a "plaintext injection" attack, aka the "Project Mogul" issue."

I have encouraged the company to remove stored credit cards from their
computer, the employees wish to keep the information on the computer
since it is within a program that reminds them when to charge
accounts, etc.

The owner is leaning toward removal, but not happening yet.

But no matter what, I believe Uverse should be attacking this
vulnerability to protect their equipment from being hacked.

As far as patching a port, I should have indicated patching their
server using the port within their gateway.

jcj


On Mon, Feb 3, 2014 at 11:44 PM, Alan Porter <porter at trilug.org> wrote:
>
> Hi JC,
>
>> 49152 and 61001 are the problem ports. I realize that this may be
>> ports used by Uverse, but Security Metrics say that a vulnerability
>> exists on 61001.
>
> OK, your internet modem has two open ports, and you suspect that
> these are ports used by your provider to get into their modem for
> support.  But you don't like that because Security Metrics reports
> that as a potential security vulnerability?
>
> I would not put much stock in Security Metrics's assessment.
>
> For example, let's say I am writing a new server program for a company
> that makes, say, internet-enabled ovens.  I need a port to listen to.  It
> does not really matter which port I choose, but it would be wise to avoid
> well-known ports like 80 or 443.  So instead, I choose 12345.  I can
> remember that.  It's the same as the combination on my luggage.
> Honestly, it does not matter which port I choose.  My server will answer
> requests made to that port, and it will (if I am any good) do some sort
> of handshaking and authentication before just talking to anybody.
>
> So Security Metrics keeps a list of known bad programs.  One time in 1994
> some kid wrote a virus/bot that listened for instructions on port 12345.
> So Security Metrics will point that out as a potential vulnerability.  I
> know
> it's not... I wrote that oven program that listens on port 12345.
>
> That does not mean that port 12345 is bad.  It means that *IF* you have
> an unknown process listening on that port, and you want a list of all known
> programs in the past that have used that port, SM will tell you about that
> one bad program in 1994 to try to help you identify what it might be.  They
> don't know anything about internet ovens.
>
> In your case, you pretty much know that 49152 and 61001 are AT&T ports.
> So you can ignore anything that Security Metrics has to say about them.
>
> Does that make sense?
>
> If you were to insist on these ports being changed, then you're really
> asking AT&T to change their entire support infrastructure because of that
> hacker kid from the '90s.  You're asking the internet to permanently
> retire that port number in honor of that hacker kid.
>
> Now I am not so sure that AT&T *needs* to listen on two ports.  But if
> they do, and they guarantee that it's their maintenance system and it
> is secure, then I would not question it any further.  It is likely that
> their
> maintenance program only accepts connections from known subnets
> or from holders of a known certificate.
>
>
>> I suspect that security metrics would pass the account if the two open
>> ports were patched to cover the vulnerabilities that Security Metrics
>> see.
>
> There is no such thing as "patching the ports".  There is a program
> listening on those ports.  Either it is a real AT&T program that speaks
> AT&T language, or it is a virus/bot from that kid in 1994 (or whatever).
> The fact that these two programs listen on the same port number is just
> a coincidence.  If AT&T chose port 12345, that would not make your
> router an oven, would it?
>
> You don't patch a port.
>
>
> I hope this helps you set your expectations better.
>
>
> Personally, I would do what others on this thread have suggested and
> treat the cable coming from the Uverse box as a "hostile network", insert
> a firewall in between it and my home network, and concentrate on the
> in-home network that I control.  If you needed a suggestion for a firewall,
> I would recommend a cheapie WRT54G running Tomato, ddwrt or openwrt.
>
>
> Alan
>
>
>
> --
> This message was sent to: jc jones <jc.jones at tuftux.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/jc.jones%40tuftux.com
> Welcome to TriLUG: http://trilug.org/welcome



-- 
Jc Jones
Blogs -
http://www.wendellgeek.com/weblog/
http://www.wendellgeek.com/kixtech/


More information about the TriLUG mailing list