Overview
Cayman gateways ship without a default password on the admin and user accounts. As long as the gateway is not addressable via the WAN, this can only be accessed and set by anyone on the LAN side. With admin access, the gateway settings can be configured by an intruder.
Description
Cayman gateways ship without a default password on the admin and user accounts permitting unauthenticated access via TELNET, HTTP and FTP. There is an Alert message that appears on every webpage served by the router, and on the initial configuration screen until the admin password is set. As long as the gateway is not addressable via the WAN, these passwords can only be set by anyone on the LAN side. Administrative access allows the intruder to configure and save various settings on the gateway. |
Impact
These vulnerabilities are the result of weak authentication and access control policies and result in one or more of the following impacts: unauthorized access, unauthorized monitoring, information leakage, denial of service, and permanent disability of affected devices. |
Solution
Set a password for your ADSL modem on both the admin and user accounts. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Our thanks to Kolya Miller, who brought this to the attention of the vendor, and the CERT/CC.
This document was written by Jason Rafail.
Other Information
| CVE IDs: | None |
| Severity Metric: | 45.00 |
| Date Public: | 2001-07-11 |
| Date First Published: | 2001-08-27 |
| Date Last Updated: | 2001-08-27 15:12 UTC |
| Document Revision: | 10 |