Software Engineering Institute

Alcatel ADSL modems allow unauthenticated Trivial File Transfer Protocol (TFTP) access from the local area network (LAN) as a method to update firmware and to make configuration changes to the device. In conjunction with one of several common vulnerabilities, a remote attacker may be able to gain unauthenticated access as well.

For example, if a system on the LAN side of the ADSL modem has the UDP echo service enabled, a remote attacker may be able to spoof packets such that the ADSL modem will believe that this traffic originated from the local network. By sending a packet to the UDP echo service with a spoofed source port of 69 (TFTP) and a source address of 255.255.255.255, the system providing the echo service can be tricked into sending a TFTP packet to the ADSL modem. If a system offering this service is accessible from the Internet it may be possible to use the system to attack the ADSL modem.

Any mechanism for "bouncing" UDP packets off systems on the LAN side of the network may potentially allow a remote attacker to gain TFTP access to the device. Gaining TFTP access to the device allows the remote attacker to essentially gain complete control of the device.

A remote attacker may be able to gain access to the perform TFTP operations. These operations include:

- inspection of configuration data
- recovery and setting of passwords
- inspection and updates to the firmware
- destructive updates to the firmware
- malicious custom updates to the firmware

Block malicious traffic at your network perimeter

If you have a home firewall product you may be able to prevent the TFTP UDP bounce attack by filtering one or more of the following types of traffic:

- Packets with spoofed source addresses
- Packets with a source address of 255.255.255.255
- Packets with a destination port of echo (or other "simple" services)