2

Recently I upgraded my home router into this one. It is a cheap one, but it has features I needed: IPv6 support and Gigabit Ethernet.

So I decided to give IPv6 a try. I configured a Hurricane Electric tunnel, so every PC on my home LAN got a public IPv6 address. I configured IPv4 firewall and NAT quite easily through web interface, but the router has very simple IPv6 firewall - it blocks anything incoming. So I disabled it and configred Windows Firewall on each individual PC.

Recently I tried to check the security of my network, so I did a Nmap scan of each host. Everything was OK until I got this output for my router:

Not shown: 992 closed ports
PORT     STATE    SERVICE
23/tcp   open     telnet
53/tcp   open     domain
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
7000/tcp filtered afs3-fileserver
9999/tcp filtered abyss

Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds

And this was the public address (Client IPv6 Endpoint). Scanning the IP from routed prefix gave same results. telnet gives me a login prompt which accepts my router username and password (its weird that web interface doesn't listen on IPv6 address). The router also does a DNS Proxy for my network, thats why port 53 is open.

How big of a security problem this can be? Is there anything I can do?

Update: I have contacted the consumer support and they told that they condiser to implement IPv6 firewall in next firmware version. It is going to have configurable rules.

I can disable DNS proxy service and set DNS servers on individual PCs. If I ignore the open telnet port, will I be safe enough?

Update 2 Actually disabling the service didn't work as expected: it just stopped giving the routers IP as a DNS server through DHCP, so I configured the router to give my ISP DNS servers. It is still listening on the public IPv6 address. However, I managed to disable telnet entirely on both IPv4 LAN and IPv6 address.

Nazar554
  • 123
  • 5
  • Did you scan from inside your network or from an actual, outside host ? Unless these services are also accessible from outside, there is no risk. – André Borie Sep 20 '15 at 19:13
  • @AndréBorie I scanned from HE site using IPv6 Portscan. Also tried other third party port scanner and had same results. – Nazar554 Sep 20 '15 at 19:52
  • Just for information, since you seem to try to get some functionalities out of a router like IP v6 and that security is a concern, are you aware of the [OpenWRT project](https://en.wikipedia.org/wiki/OpenWrt)? It aims is to replace the router firmware by a free-software based alternative, the only limitation being to be sure to get a compatible router. – WhiteWinterWolf Sep 20 '15 at 20:00
  • So you are vulnerable (not so much because of telnet, but because of DNS). Do you mind throwing that router into the trash can and picking up an old PC with two NICs ? – André Borie Sep 20 '15 at 20:00

2 Answers2

4

Using the telnet interface over an insecure link (the Internet) is insecure, but simply having it there won't do much harm. The insecurity of telnet comes from its lack of encryption, but it's not an issue if you don't send anything sensitive through it in the first place.

However, what is more concerning is the DNS port that is open - it could be abused to attack other hosts through DNS amplification attacks (UDP being spoofable, an attacker sends a DNS request with the source IP being set to the attack's target IP, and your router in turn sends its reply to the target).

Finally, if all of these services are indeed available over the Internet, you should also consider whether the firmware of the router is reliable enough. I personally don't trust routers anymore, even if they seem secure their firmwares often have hidden vulnerabilities like hardcoded passwords or CSRF vulnerabilities in their web interfaces.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 2
    "*but simply having it there won't do much harm*": this may be true for a telnet server setup by ourselves, but does it remains true for a telnet server for which we may know all the accounts? It would not be something new for a router to have some kind of "[administrative access](http://securityaffairs.co/wordpress/20941/hacking/netgear-linkys-routers-backdoor.html)" the end-user may not be aware of... – WhiteWinterWolf Sep 20 '15 at 19:19
  • 1
    @WhiteWinterWolf that's what the last paragraph is for, though it isn't specific to telnet. A hidden backdoor is just as dangerous over SSH or the web interface. – André Borie Sep 20 '15 at 19:34
  • "*I personally don't trust routers anymore*" indeed, I agree. Routers being untrustable, the best solution would be then to either decide on a case-per-case basis if this router is part of the LAN, so it must be properly isolated from the Internet using a firewall, or part of the Internet access (ISP router being the typical example), then it must be properly isolated from the LAN, and in all case it should not be used as a bridge between Internet and the LAN... which is sadly their main market and why most people buy them :(. – WhiteWinterWolf Sep 20 '15 at 19:53
  • @WhiteWinterWolf I don't trust routers because I don't trust anything that is marketed as an appliance (even the high end Cisco gear), and firewalls are part of that as well. I prefer using standard Linux PCs, at least I can keep them up to date and I don't get useless insecure crap like vulnerable web interfaces. – André Borie Sep 20 '15 at 19:56
  • Well, my bad, when I talked about "firewall", I was thinking about my little nice OpenBSD box sitting between me and my ISP thing ;). – WhiteWinterWolf Sep 20 '15 at 19:57
  • I have updated my question, seems I am lucky that web interface listens only on IPv4 address (which is LAN private). Is there a difference between DNS Relay and Proxy? – Nazar554 Sep 20 '15 at 20:18
2

This could be a risk if the telnet service exposed has any vulnerabilities. An example of one here, although the specific vulnerability will depend on the version of telnet used by your router.

Another possibility is if the telnet service has any backdoors or default passwords enabled.

Similar goes for the DNS service - you shouldn't expose services to the internet if you don't need them. Any vulnerabilities past, present or future could pose a risk to your infrastructure and you are needlessly increasing your attack surface.

If there's no way to disable telnet and DNS services on the internet interface, I would look at changing your router to something more suitable.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178