#############################################################
#
# SWISSCOM CSIRT ADVISORY - http://www.swisscom.com/security
#
#############################################################
#
# CVE ID: CVE-2015-1188
# Product: Swisscom DSL Router Centro Grande (ADB)
# Vendor: ADB
# Subject: Incorrect authentication, remotely exploitable
# Finder: Ivan Almuina (ivan.almuina _at_ hackingcorp.ch)
# Coord: Philippe Cuany (csirt _at_ swisscom.com)
# Date: April 29th 2015
#
#############################################################
Description
-----------
A vulnerability has been discovered that affects the certificate verification
functions provided by the HNDS service found on the Centro Grande (ADB version)
DSL routers of Swisscom.
Product
-------
Firmwares up to version 6.12.02 are affected.
Vulnerability
-------------
The flaw allows an attacker to have access to management functions that are
normally reserved for the Swisscom support. Furthermore, this vulnerability
combined with other vulnerabilities allow to completely compromise the
Centro Grande (ADB) routers. Available Proof-of-Concept code enables a remote
root shell on a victim's router.
Remediation
-----------
Update the firmware to version 6.14.00. By default the Centro Grande routers
should update themselves automatically. The current version can be verified
through the web management interface, under Settings => Router => Firmware
section. The version 6.14.00 should be installed. If it is not the case, the
update can be forced cliking on the button labeled "Check for upgrade".
Alternatively, the firmware can be downloaded from the following page:
https://www.swisscom.ch/en/residential/help/device/internet-router/centro-grande.html
Swisscom customers may call the Swisscom-Hotline 0800 800 800
Acknowledgments
---------------
Ivan Almuina from Hacking Corporation Sàrl (http://hackingcorp.ch/) for the
discovery, the notification and for helping us to fix the vulnerability.
Milestones
----------
Sep 23th 2014 Vulnerability reported to Swisscom CSIRT
Jan 7th 2015 CVE ID requested at MITRE
Jan 18th 2015 CVE ID 2015-1188 assigned by MITRE
Apr 29th 2015 Public Release of Advisory