Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability

[Atom Smasher <atom () smasher org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

after unsuccessfully attempting to find contact information of anyone who 
can address or correct this, here's a public disclosure.

Vulnerability Name
  Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability

Overview
  the UTStarcom iAN-02EX is a VoIP ATA currently being used by Lingo (and 
other VoIP providers?). this advisory is specific to the configuration of 
the iAN-02EX device as currently shipped by Lingo, and may or may not 
apply to other configurations of the device. the default configuration 
leaves the ATA vulnerable to unauthorized remote access.

Description
  using the default password, a remote attacker may access the device via 
the WAN port. this problem is compounded by Lingo's recommendation that 
the device should be placed between a broadband modem and router 
("recommended method"). this configuration makes the ATA's WAN port 
accessible from the public internet.

Impact
  an attacker may cause a denial of service for voice and/or data traffic. 
an attacker may gain access to a customers speed-dial list and modify that 
list (this may be particularly dangerous if the attacker is a scorned 
ex-lover or overzealous admirer). an attacker may gain gain access to 
other areas of the LAN behind the ATA (by specifying it as a DMZ or port 
forwarding). an attacker may change the default password (the ATA doesn't 
appear to have a customer accessible hardware reset, which could compound 
a password problem). an attacker may cause other havoc for the VoIP 
customer.

Solution
  this vulnerability can be mitigated by not allowing login access via 
WAN. at the very least this feature should be disabled by default. ideally 
access via the WAN port should require that the default password is 
changed.

References
  http://www.utstar.com/Solutions/CPE/VoIP_CPE/
  http://www.utstar.com/Solutions/Document_Library/CPE/docs/SS_UTiAN02EX.pdf
  http://www.lingosupport.com/
  http://www.lingosupport.com/install_multi_01.html


- -- 
        ...atom

 _________________________________________
 PGP key - http://atom.smasher.org/pgp.txt
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
 -------------------------------------------------

        "Your password must be at least 18770 characters and
         cannot repeat any of your previous 30689 passwords.
         Please type a different password. Type a password
         that meets these requirements in both text boxes."
                -- Microsoft takes security seriously in
                Knowledge Base Article Q276304.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)
Comment: What is this gibberish?
Comment: http://atom.smasher.org/links/#digital_signatures

iQEcBAEBCAAGBQJCK/Y8AAoJEAx/d+cTpVcieigH/2tclaF4CvkvQfgdOt3emrcT
XZK2a3K3gx9p1Cdy5pbXYSN+oh9EvV+LadYljASxl0IV1Kn32OZQMLJbfRTjJHf5
XaU4HIFS2n8Q/+HSVfOQCCOb1RAulD7Hpgj+/omh9kS4dHQdHJ3jBwQe9NCqF8M4
DG/H5uzB3SFuzDQemYuZOh5qnqNxUsI5TiTXAzww31tuR240sABiwGDB8eurEub3
+FWXcj9ytWMGdbk+Jq+J4MR1dDzv+pcK7cSQHUiEKtUJp0XrfyMJpgxMGxPFHWX9
T+8qM1lJw+7DNsSih6TY0OGRygVZezPpgPKZY0dDJpRvw651McQi+klWCeQU30c=
=VsqM
-----END PGP SIGNATURE-----