-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ### Device Details Vendor: Actiontec (Telus Branded, but may work on others) Model: T2200H Affected Firmware: T2200H-31.128L.08 Device Manual: http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu al.pdf Reported: Sept 2018 CVE: Not needed since update is pushed by the provider. The Telus Actiontec T2200H is bonded VDSL2 modem. It incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode, 802.11agn wireless, etc. ### Summary of Findings The wireless extenders use DHCP Option 125 to include device details such as model number, manufacturer, and serial number. By forging a special DHCP packet using Option 125, an attacker can obtain the device serial number. Once he or she has this, the device’s admin web UI password can be reset using the web UI “forgot password” page to reset to a known value. ### Mitigation Do not use the serial number to initiate password resets. The serial number has other internal uses in the Web UI, which means there’s a higher chance of it being leaked inadvertently over the network. By using a different value, this risk can be mitigated since the reset value is only used for that purpose. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9UFYACgkQoyRid8jQ fpkcfg/+PGb6cqsFln3ON6Z2DDWDr1e6SuYunj6cUvsM6gwjPFavNNSw4nCOa8HI hmL15anYEIF3Bkrvw3NDgf3n+8hRtMC7E4EewZyW1gpYeqRFZp+HPUhRMptaoy25 fMZOnzjIt4DKV8EueXdbvGK/ouGZa9TkK5ZMqskQR/FkhC9lytSFblz9l6ZMKEHB kGn0She5eTFx5U+pOQf/2tmJGUDZRka9OGA+RxXYGPRCwlElqS0QHcRnLTXo3zE4 iNACPDiVLAO/0Q61GEI6hgbcMFzWZZddPmvaY6ii3nXCmTxjJ7bWOKMBsBZwKCGe agXt7n3UvVY5LGFGG1q/FB1/+JvcnOmUh04FM7uhNgA+2vaQGjCQeaWaSMbkAggh Eoe6mKD2yA52tn7+RDPY1LOpYWBFXsNWCAlErsCOMyD/4CI3XyoNQyxvW0Icw2GZ PASDnOx9vBeqAprCVYHUsBy68OZvbRZZpzFTqiEe4ksiTCUxQZC2Xx5AI0+2wm0x Akw7s3mfmPywvEjuUCCxLzZlK1pHcVPnI0ngGNNN2/Tuo7fJaCEF2cELmKM6sDIP 1DVInZhEZBV8bpEJucIl7IN/zFbi+Pkq37MPfoKKeOkKfF+TvYGT3/okFplj4Z0s kIhsBD+M/YHAz9vYDFgC13ro3ph79HExwd63ctmirGBQgjeEE4Q= =fNG3 -----END PGP SIGNATURE-----