Avast detects ROM-0 vulnerabity on 3BB 1P DSL Router

[CALSinCM]

I've run Avast Home Security Scan which detects the 'ROM-0 vulnerability' on my 3BB 1P DSL Router. Digging deeper into the issue, the general solution is install a firmware upgrade, but having checked the 3BB site for this router in both Thai and English, there simply are no recent firmware upgrades available, and no mention of the vulnerability.

I could contact their technical service, but I've already had a problem with one of their routers that did not get adequately resolved. Perhaps this is a 'false-positive' with the Avast software - but perhaps not. Anyone else coming across this issue???

[RichCor]

ROM-0 vulnerability is detailed on the Root@Nasro blog

affecting TP-Link and Zyxel consumer routers

Most consumer home modem/routers contain a web-interface for easy configuration. On many units this web-interface can also be accessed remotely from

the Internet. Normally someone would need to know the modem/router password to gain entry.

The ROM-0 Vulnerability detailed on the blog page details how many modem/routers allow the 'configuration' to be downloaded ... and the mechanism that allows this download IS NOT PROTECTED and can be easily read to retrieve the master password !!!

" I’ve found out that the rom-0 file is located on “IP/rom-0″ and the directory isn’t password protected or anything. So we are able to download the configuration file which contains the “admin” password."

The writer was then able to submit the special/compressed "Backup" file to a website that automatically returns the contents as clear text.

The blog-writer suggests a working fix would be to create a PORT 80 FORWARD to a non-working IP address on your network. If this is in place then anyone attempting to access your web-interface remotely from the outside would be redirected to an unused IP address and ultimately fail to connect.

A second blogger writes that Port 80 Forwarding may not work, but has another suggestion:

EgyptianVulture writes:

" luckily, the firmware does provide another access method to change the router's settings but it's not mentioned in the user manual. the second access method is the CLI which can be accomplished by using Putty or Telnet. here I used telnet from Windows. now you go with the following steps to prevent the flaw:

1. [ first, RECORD any/all settings required by your router to connect to your service provider ]
2. you need to reset the router to factory default settings by pressing the reset button. you need to do this to ensure safe configuration for your router
3. go to the web interface of your router which can be accessed from 192.168.1.1 & update your router setting with your ISP information
4. under maintenance change the default password from admin to anything you want & don't forget it as you will need it later on.
5. open cmd & type the following commands line by line

1 >telnet 192.168.1.1
2 Password: <type your router password>
3 Copyright © 2001 - 2011 TP-LINK TECHNOLOGIES CO., LTD.
4 TP-LINK> sys server load
5 TP-LINK> sys server access ftp 1
6 TP-LINK> sys server access web 1
7 TP-LINK> sys server access icmp 1
8 TP-LINK> sys server access tftp 1
9 TP-LINK> sys server access snmp 1
10 TP-LINK> sys server access telnet 2
11 TP-LINK> sys server save
12 sys server: save ok

that's all you need & now your router is safe from rom-0 attack.

Well, according to THEM that's all you need.

[cauldlad]

I received the same result when I did the Avast scan 3 days ago. Is it a false positive from the scan, who knows !!!

I rang 3bb and they eventually rang back after 2 days. I was on the phone for 45 minutes with the '' technician '' who didn't really understand what I was saying to her. In the end she gave up and said she would send someone out. Two guys arrived and I explained and showed them the screen with the results of the scan. As they both had limited English I am not sure they really understood what I was trying to explain to them.

Blank looks followed and the one of them went over to the router and felt it!!!

He said it was too hot and I should get it replaced &lt;deleted&gt;.

He looked at the screen again and then rang someone who asked to speak to me. This lady spoke good English and said she undertood when I told her the scan results were showing the router had been hacked.

I then passed the phone back and the guy proceeded to write a note out in Thai for the 3bb shop.

They then left.

When my wife came home the translation was......................... wait for it.

The shop had to check if the guarantee had expired and if so charge me for a new one!!!!!

I had already told him the router was 13 months old so the guarantee had expired.

Anyway that was not the problem apart from the router being '' too hot '' according to the '' technician ''

They were about as much use as a chocolate teapot !!!

The problem as I see it is 3bb just use a default log in for the router and you cannot change it to your own username and password which obviously makes it vunerable.

Also there is no manual option to change the settings, most of the boxes are blanked out.

I did notice with the scan however, the router does use the latest encryption WPA2 which the scan said it wasn't using. They also offered an add on to the system system for 66 pounds sterling that bypasses the DNS settings that have allegedly been infected.

Is this all to do with a marketing ploy? i wouldn't like to say.

The worry is if this scan is accurate, I would suggest that everyone who has a 3bb router is just as vunerable to this same scenario.