Hello list! I want to warn you about security vulnerabilities in ADSL modem Callisto 821+ (SI2000 Callisto821+ Router). These are Predictable Resource Location and Brute Force vulnerabilities. SecurityVulns ID: 11700. ------------------------- Affected products: ------------------------- Vulnerable is the next model: SI2000 Callisto821+ Router: X7821 Annex A v1.0.0.0 / Argon 4x1 CSP v1.0 (ISOS 9.0) [4.3.4-5.1]. This model with other firmware and also other models of Callisto also must be vulnerable. ---------- Details: ---------- Predictable Resource Location (WASC-34): http://192.168.1.1 (web server on 80 and 8008 ports). The control panel of modem is placed at default path with default login and password (information about which is available in Internet). Which allows for local users (which have access to PC or via LAN) and also for remote users via Internet (via CSRF vulnerabilities) to get access to control panel and change modem's settings. This also will be in handy for conducting of remote login attack. Default above-mentioned settings - it's standard practice of developers of ADSL routers, but ISPs should make changes. But particularly Ukrtelecom doesn't do it (and there can be other such ISPs) and so millions of users of Internet services of this ISP, which are using modems Callisto or others, are vulnerable to these attacks. And during my conversation with Ukrtelecom's representative in April, he stated that company doesn't see any risks concerning multiple vulnerabilities in router's control panel (so they don't change settings and don't warn clients). Brute Force (WASC-11): In login form http://192.168.1.1 there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default), particularly at local attack. E.g. via LAN malicious users or virus at some computer can conduct attack for picking up the password, if it was changed. Lack of protection against Brute Force (such as captcha) also leads to possibility of conducting of CSRF attacks, which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). It allows to conduct remote login. Which will be in handy at conducting of attacks on different CSRF and XSS vulnerabilities in control panel. ------------ Timeline: ------------ 2011.04.14 - informed Ukrtelecom about multiple vulnerabilities in modems, which they give (sell) to their clients. 2011.05.24 - disclosed at my site. 2011.05.26 - informed developers (Iskratel). I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/5161/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua