Telus Actiontec T2200H with firmware T2200H-31.128L.08 suffers from a serial number information disclosure vulnerability. The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device's admin web UI password can be reset using the web UI "forgot password" page to reset to a known value.
e00278c615b4c6ca6904174cd960226f3071c1c8dac2689625b8674db654d3c2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
### Device Details
Vendor: Actiontec (Telus Branded, but may work on others)
Model: T2200H
Affected Firmware: T2200H-31.128L.08
Device Manual:
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu
al.pdf
Reported: Sept 2018
CVE: Not needed since update is pushed by the provider.
The Telus Actiontec T2200H is bonded VDSL2 modem. It
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,
802.11agn wireless, etc.
### Summary of Findings
The wireless extenders use DHCP Option 125 to include device details
such as model number, manufacturer, and serial number. By forging a
special DHCP packet using Option 125, an attacker can obtain the device
serial number.
Once he or she has this, the device’s admin web UI password can be reset
using the web UI “forgot password” page to reset to a known value.
### Mitigation
Do not use the serial number to initiate password resets.
The serial number has other internal uses in the Web UI, which means
there’s a higher chance of it being leaked inadvertently over the
network. By using a different value, this risk can be mitigated since
the reset value is only used for that purpose.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9UFYACgkQoyRid8jQ
fpkcfg/+PGb6cqsFln3ON6Z2DDWDr1e6SuYunj6cUvsM6gwjPFavNNSw4nCOa8HI
hmL15anYEIF3Bkrvw3NDgf3n+8hRtMC7E4EewZyW1gpYeqRFZp+HPUhRMptaoy25
fMZOnzjIt4DKV8EueXdbvGK/ouGZa9TkK5ZMqskQR/FkhC9lytSFblz9l6ZMKEHB
kGn0She5eTFx5U+pOQf/2tmJGUDZRka9OGA+RxXYGPRCwlElqS0QHcRnLTXo3zE4
iNACPDiVLAO/0Q61GEI6hgbcMFzWZZddPmvaY6ii3nXCmTxjJ7bWOKMBsBZwKCGe
agXt7n3UvVY5LGFGG1q/FB1/+JvcnOmUh04FM7uhNgA+2vaQGjCQeaWaSMbkAggh
Eoe6mKD2yA52tn7+RDPY1LOpYWBFXsNWCAlErsCOMyD/4CI3XyoNQyxvW0Icw2GZ
PASDnOx9vBeqAprCVYHUsBy68OZvbRZZpzFTqiEe4ksiTCUxQZC2Xx5AI0+2wm0x
Akw7s3mfmPywvEjuUCCxLzZlK1pHcVPnI0ngGNNN2/Tuo7fJaCEF2cELmKM6sDIP
1DVInZhEZBV8bpEJucIl7IN/zFbi+Pkq37MPfoKKeOkKfF+TvYGT3/okFplj4Z0s
kIhsBD+M/YHAz9vYDFgC13ro3ph79HExwd63ctmirGBQgjeEE4Q=
=fNG3
-----END PGP SIGNATURE-----