Router WAN port passing out private IP?

[jegesq]

Recently came across this article in ComputerWorld by their security blogger Michael Horowitz who writes the "Defensive Computing" column.

http://www.computerworld.com/article/2887243/using-a-router-to-block-a-modem.html

The gist of the article is that many routers, including most Asus routers, will pass out an address that is supposed to be reserved for LAN-side only to the WAN port. The example he cites is that an address of "192.168.100.1" which is the IP address of many cable modems (including some of the most popular such as the SB6141 and SB6183 from Arris) can be passed freely out the WAN port (since this is how the cable modem connects, and it's WAN-side, not LAN-side). So that's an issue with the routers.

The issue with some modems that makes this router "flaw" of particular concern is that there's no way to password protect them. All of the Arris Surfboard routers, come without any password protection, and in fact there's no way to implement a password at all in the firmware. Thus, all you need to do is access the cable modem's firmware GUI through a browser connected to the LAN is typing 192.168.100.1, and boom, you're in.

Now there's not much you can do with these modems in terms of configuring them. In fact, all you really can do is reset them, or restore them to factory defaults (which would be bad, since it would then have to be re-enabled by your ISP just to work again).

Horowitz posits that this is a flaw in both the modem (since it doesn't come password protected and there's no way to enable one, something I can confirm since I own an SB6183), and with the routers since they shouldn't be passing a private reserved IP (one that can't be registered with IANA) that is within a range that is supposed to be reserved for internal LAN-side communication only) such as 192.168.x.x to devices connected only on the WAN side.

His proposed solution is to enable Network Services Filtering and to block access to "192.168.100.1" in the destination side IP's for TCP. Of course that not only blocks potential malicious threats, it blocks your own access (unless you turn off the Network Services Filter first).

Personally, I don't know what to make of this and am unsure about blocking access to my own modem's GUI (even if only temporarily). How much of a real threat does this pose? I suppose someone could embed an image with some sort of malicious code that when viewed would enable a complete reset of those routers whose GUI's can be accessed without a password.

Any thoughts on this?

 

[jegesq]

Horowitz isn't the only one who has written about this issue. At The Wirecutter, they also noted this as an update posted on January 23, 2015 to an older review of the Motorola-Arris SB6141

Many cable modems, including the SB6141, are vulnerable to cross-site scripting attacks; an attacker can trick people on your network into running code that factory resets your modem. To prevent this, use your router's built-in firewall to block the modem's local IP address. For Motorola modems, it's 192.168.100.1. And change your router's administrator password from the default if you haven't already; this prevents a similar attack from taking control of your router.

 

[RMerlin]

For me that doesn't add up. Anything not intended to the default LAN should be sent to the default gateway, which is at your ISP's end. That's why people who want to be able to access their modem's webui actually need to configure a static route.

 

[L&LD]

It doesn't make sense to me too.

They would need to come into your network first, before they can access the modem 'from the inside'.

 

[ChikkSpot]

Really confused. the whole articles talks about blocking 192.168.100.1 access from the LAN side (like from 192.168.55.x subnet), but at the beginning it says "we need to configure the router to block WAN side access to 192.168.100.1."...so what exactly he's trying to say?

also, if there's a way to exploit the modem via (for example) a javascipt that talks to 192.168.100.1 silently. then that is a HUGE vulnerability which the modem maker will need to patch ASAP because remember some people do connect their PC to the modem directly w/o a router.

 

[jegesq]

Really confused. the whole articles talks about blocking 192.168.100.1 access from the LAN side (like from 192.168.55.x subnet), but at the beginning it says "we need to configure the router to block WAN side access to 192.168.100.1."...so what exactly he's trying to say?

also, if there's a way to exploit the modem via (for example) a javascipt that talks to 192.168.100.1 silently. then that is a HUGE vulnerability which the modem maker will need to patch ASAP because remember some people do connect their PC to the modem directly w/o a router.

No, the article suggests blocking the 192.168.100.1 as a destination in Network Services, thus blocking it from being sent out of the WAN port (which is how the GUI in the modem communicates with the router), the theory being that if the router cannot call up the GUI, any malicious code that may get through your firewall (e.g., by accessing a website and storing a copy of a jpeg or gif with a hidden malicious cross-site script embedded) will preclude code that sneaks into the LAN side from being triggered to communicate with a WAN-side device. That much is pretty clear and I don't think requires all that much explanation. The article even shows you how to accomplish blocking the modems GUI from being accessed from the LAN side, with a nice picture of where to put the IP address you want blocked from sending out the WAN port on Asus and TP-Link routers.

The issue is that none of the more recent Arris-Motorola modems has a facility to password protect them. They are essentially wide open and anyone could reset the modem simply by having access to the LAN and typing in the modem's GUI IP address of 192.168.100.1.

Arris isn't going to "fix" this because I'm sure they don't view it as a problem.

The real issue is whether it's worth all the trouble to block access to the modem's GUI in the first place, i.e., how likely is it that someone would be able to embed some sort of malicious script into a webpage or image that would cause an Asus router to not only activate the modem's GUI, but also to issue a command to reset it, which as far as I know can only be done by actually causing the "factory reset button" to be pushed, as in using a mouse to do that. You can't get into the actual firmware of the SB6183 or SB6141 through the GUI at all, and as far as I know, there's no way for an end-user to even get at the firmware.

 

[jegesq]

For me that doesn't add up. Anything not intended to the default LAN should be sent to the default gateway, which is at your ISP's end. That's why people who want to be able to access their modem's webui actually need to configure a static route.

Actually I don't think a static IP from one's ISP is required at all. I can readily access my SB6183 cable modem's GUI from a LAN-side computer simply by typing "192.168.100.1." into a browser. I can't modify that IP at all in the cable modem, and it's hard-coded into the cable modem. The cable modem has no password.

My ISP is TWC and I do not have a static IP. Clearly, the IP address "192.168.100.1" is supposed to be a private, LAN-side only IP; it's a range designated as "private" by IANA (just like "10.10.x.x".) And yet, when I access the cable modem's GUI, isn't the only way that happens at all because my router is sending the private-range IP address of the GUI out the WAN port of the router to the cable modem, telling the modem to serve up the GUI to the router and thus to my browser?

 

[RMerlin]

Actually I don't think a static IP from one's ISP is required at all. I can readily access my SB6183 cable modem's GUI from a LAN-side computer simply by typing "192.168.100.1." into a browser. I can't modify that IP at all in the cable modem, and it's hard-coded into the cable modem. The cable modem has no password.

My ISP is TWC and I do not have a static IP. Clearly, the IP address "192.168.100.1" is supposed to be a private, LAN-side only IP; it's a range designated as "private" by IANA (just like "10.10.x.x".) And yet, when I access the cable modem's GUI, isn't the only way that happens at all because my router is sending the private-range IP address of the GUI out the WAN port of the router to the cable modem, telling the modem to serve up the GUI to the router and thus to my browser?

Static route, not static IP. Completely different things.

Without a route for the 192.168.100.0/24 segment, the traffic is sent to the default gateway, which is your ISP.

The only situation this could be an issue is in a double NAT situation. And even then, if the modem allows anyone to access its interface without authentication, the security issue is with the modem, not the router.

 

[jegesq]

Static route, not static IP. Completely different things.

Without a route for the 192.168.100.0/24 segment, the traffic is sent to the default gateway, which is your ISP.

The only situation this could be an issue is in a double NAT situation. And even then, if the modem allows anyone to access its interface without authentication, the security issue is with the modem, not the router.

Not quite sure I understand what you're saying. As I understand it, "static route" refers to a form of routing that occurs when a router uses a manually-configured routing entry, rather than information from a dynamic routing protocol to forward traffic. At least that's the definition of the term I've read in lots of placed, including Wikipedia's entry for "static routing".

As Wikipedia says,

static routes are usually manually configured by a network administrator by adding in entries into a routing table though this may not always be the case. Unlike dynamic routing, static routes are fixed and do not change if the network is changed or reconfigured.

I can say without hesitation or qualification I've not configured any static routing. In fact, my AC66U is set so that static routes are NOT enabled (on the LAN>Route page the setting for "Enable Static Routes" is set at "No."). My WAN connection to my ISP is set to "Automatic IP" and I don't have to configure anything on the router

Additionally, my modem doesn't handling NAT at all; that's handled by the AC66U, so there is no double NAT situation present.

So if I understand your last post correctly, the only way that my router should be able to pass a private IP out of the WAN port to the modem is if a static route is established in the router's routing tables. I've never looked or touched any tables, and am simply using whatever is configured in your own firmware (I'm currently using RMerlin FW 374.43).

Is there a static route entry in the tables in your firmware so that when accessing 192.168.100.1 from a LAN-side device to the modem it's routed to the modem? How would I be able to ascertain that info?

Or are you saying that my ISP gets the 192.168.100.1 request and sends it back to my modem? I find that hard to believe. My default gateway is in fact the router (an ipconfig /all shows that my default gateway is 192.168.1.1, or the address of my AC66U). So I'm not sure how a command to access the GUI at 192.168.100.1 would wind up going to my ISP's gateway and then back to the modem? Can you further explain for the benefit of the shut-ins?

Thanks. Oh, and I apologize in advance if I'm getting concepts confused, but really, I'd like to understand what you're saying.

 

[coldwizard]

Recently came across this article in ComputerWorld by their security blogger Michael Horowitz who writes the "Defensive Computing" column.

http://www.computerworld.com/article/2887243/using-a-router-to-block-a-modem.html

The gist of the article is that many routers, including most Asus routers, will pass out an address that is supposed to be reserved for LAN-side only to the WAN port. The example he cites is that an address of "192.168.100.1" which is the IP address of many cable modems (including some of the most popular such as the SB6141 and SB6183 from Arris) can be passed freely out the WAN port (since this is how the cable modem connects, and it's WAN-side, not LAN-side). So that's an issue with the routers.

The issue with some modems that makes this router "flaw" of particular concern is that there's no way to password protect them. All of the Arris Surfboard routers, come without any password protection, and in fact there's no way to implement a password at all in the firmware. Thus, all you need to do is access the cable modem's firmware GUI through a browser connected to the LAN is typing 192.168.100.1, and boom, you're in.

Now there's not much you can do with these modems in terms of configuring them. In fact, all you really can do is reset them, or restore them to factory defaults (which would be bad, since it would then have to be re-enabled by your ISP just to work again).

Horowitz posits that this is a flaw in both the modem (since it doesn't come password protected and there's no way to enable one, something I can confirm since I own an SB6183), and with the routers since they shouldn't be passing a private reserved IP (one that can't be registered with IANA) that is within a range that is supposed to be reserved for internal LAN-side communication only) such as 192.168.x.x to devices connected only on the WAN side.

His proposed solution is to enable Network Services Filtering and to block access to "192.168.100.1" in the destination side IP's for TCP. Of course that not only blocks potential malicious threats, it blocks your own access (unless you turn off the Network Services Filter first).

Personally, I don't know what to make of this and am unsure about blocking access to my own modem's GUI (even if only temporarily). How much of a real threat does this pose? I suppose someone could embed an image with some sort of malicious code that when viewed would enable a complete reset of those routers whose GUI's can be accessed without a password.

Any thoughts on this?

Can you point me to where the bolded things are said in the article please.

My interpretation was different. The flaw is only in the modem, and a patch can be put into the router to prevent access to the flaw.

 

[jegesq]

Can you point me to where the bolded things are said in the article please.

My interpretation was different. The flaw is only in the modem, and a patch can be put into the router to prevent access to the flaw.

Fair enough. Your reading may very well be more correct than mine. My post reflects only my interpretation of the article, and in particular my impression that Horowitz was questioning not only the fact that the SB6183 and similar routers are not password protected, but also reflects his concern that a private IP range address is going out the WAN port, and how to block that from occurring. At least that's my take. If you're questioning why I used the term "flaw", I suppose I take responsibility for the use of that term, since that's how I interpreted what he was saying.

 

[ChikkSpot]

The issue is that none of the more recent Arris-Motorola modems has a facility to password protect them. They are essentially wide open and anyone could reset the modem simply by having access to the LAN and typing in the modem's GUI IP address of 192.168.100.1.

Arris isn't going to "fix" this because I'm sure they don't view it as a problem.

The real issue is whether it's worth all the trouble to block access to the modem's GUI in the first place, i.e., how likely is it that someone would be able to embed some sort of malicious script into a webpage or image that would cause an Asus router to not only activate the modem's GUI, but also to issue a command to reset it, which as far as I know can only be done by actually causing the "factory reset button" to be pushed, as in using a mouse to do that. You can't get into the actual firmware of the SB6183 or SB6141 through the GUI at all, and as far as I know, there's no way for an end-user to even get at the firmware.

correct. at the most, someone on a pc would click on a (for example) "bad" javascript that would "factory reset" the modem (which really causes no harm other than takes longer to initialize stuff during the next bootup), and that's really the most the user can do. there's nothing in the modem's GUI that allows user to change any of the parameters, not even a firmware upgrade.

and like i said, not everyone is on a router and if a modem can be exploited that way that's a really modem vulnerability issue.

 

[jegesq]

correct. at the most, someone on a pc would click on a (for example) "bad" javascript that would "factory reset" the modem (which really causes no harm other than takes longer to initialize stuff during the next bootup), and that's really the most the user can do. there's nothing in the modem's GUI that allows user to change any of the parameters, not even a firmware upgrade.

and like i said, not everyone is on a router and if a modem can be exploited that way that's a really modem vulnerability issue.

Agreed, it's a modem vulnerability issue. Certainly at least a potential modem inconvenience (because even a malicious resetting of the modem doesn't really cause any harm).

But that still doesn't help with an understanding as to why the private IP range address is being sent out the WAN-side of the router. I appreciate it's happening, but R. Merlin's post really didn't shed any light on it other than than that this could occur under the conditions he specifically mentioned, and I don't believe those are applicable, at least not with my router or modem, i.e., no static route has been set up. Again, I'm just trying to understand why the private IP range is going out of the WAN port if it's supposed to be LAN-side only.

 

[ColinTaylor]

But that still doesn't help with an understanding as to why the private IP range address is being sent out the WAN-side of the router. I appreciate it's happening, but R. Merlin's post really didn't shed any light on it other than than that this could occur under the conditions he specifically mentioned, and I don't believe those are applicable, at least not with my router or modem, i.e., no static route has been set up. Again, I'm just trying to understand why the private IP range is going out of the WAN port if it's supposed to be LAN-side only.

I'd occasionally wondered the same thing myself. I can also access my cable modem (192.168.100.1) from my LAN (192.168.1.x) without having to specify a static route.

On one hand this makes sense as all non-local traffic will go out through the default gateway. On the other hand 192.168.100.1 is a "non-routable" private address.

I had assumed that as 192.168.100.1 was "non-routable", traffic destined for it would not be forwarded to the WAN interface of the router. Having read RFC 1597 (http://www.faqs.org/rfcs/rfc1597.html) it appears to be the job of the destination router to reject the incoming traffic; "Routers in networks not using private address space, especially those of Internet service providers, are expected to be configured to reject (filter out) routing information about private networks". -- So that makes sense now.