-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0158
         BigPond Wireless Broadband Gateway 3G21WB default account
                             14 November 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BigPond Network Gateway 3G21WB
Operating System:     Network Appliance
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Unauthorised Access             -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
Member content until: Friday, December 14 2012

OVERVIEW

        Telstra have released a firmware update for at least one vulnerability
        in the BigPond Network Gateway (3G21WB). [1]


IMPACT

        The BigPond 3G21WB has been reported to have multiple vulnerabilities.
        [2]
        
        Detailed information is as follows:
        
        "a) Hard-coded credentials
         A user can authenticate to the web server running on the device using
         the credentials "Monitor:bigpond1". These credentials are hard-coded,
         and cannot be changed by a normal user.
        
         b) Command-injection vulnerability
         The "ping.cgi" web page is subject to a command-injection
         vulnerability, as the server-side script does not properly validate
         user-supplied input." [3]


MITIGATION

        Telstra have released a firmware update, however detailed information
        is not available. According to Telstra the firmware update provides
        "an important security enhancement". [1] It is not clear whether all
        publicly reported vulnerabilities have been resolved.
        
        The update provided by Telstra only includes instructions for Windows
        users. Those without access to a Windows PC should contact Telstra for
        assistance. [1]
        
        In addition, customers can "disable web access on the WAN side". [3]


REFERENCES

        [1] BigPond Elite Network Gateway firmware upgrade
            https://bigpond.custhelp.com/app/answers/detail/a_id/19015

        [2] BigPond Wireless Broadband Gateway 3G21WB default account
            http://xforce.iss.net/xforce/xfdb/79238

        [3] Hard-coded credentials and command-injection vulnerabilities on
            BigPond 3G21WB
            http://www.exploit-db.com/exploits/21992/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUKMfa+4yVqjM2NGpAQK+vxAAtLcMOoSL2n2LeqbIYp5UgjnhziRNjv+J
DwBJ9wpJyQeqQqgQVNc2Tr0mAkKFoW4eywq5iETp4/WKfbPK1WywB2KcyeXjAa3P
h/RAPn2b9ut58j+yDaBDfx7BoCC4aiEOzojhwgMedDV2ciGhfrG1bp8j8ZfwfTVK
e1xOzCvXgCUq065XNwKKevUx6zVVfe/4VKVXDLPs1LOl0o8xs1Cc+zLEK4eUfGbi
jnV1plmovQM+/mdYwQCdUhz0xfrlM4Jc02/IE54ScRDwkdEuCq+G4PltyNshy9j1
Vnn1NLqgt+p/gBhNBBONyz73aS2T+0uqsR8elU++/IlghV3yPsMzVWrwEmfsylgH
BkE5LYythVvVhTmjgCvD8WN8B8GmCuGuUmCaxdzOoDiwa0b/s3P7SIsnt5hytIvI
4PkrzKcY5SgNufYh5ZPe2y3J087zpMpKLhPsOoMYJQarmYSW3vGVMfHQJkNwDU+a
6xdKqmFFK/3J+Mlg5rZQiUsT5PYiItaitzfxn6T8wKwLvyhw5NQZTq+e2sFNf8zW
iLZTZfVn+my6JhqN//1YHZ1wQcxhFk/TbRH3W7dpPACqQTtADtk6wmkKHM9K/XM5
84UVjKtKf/540FWeBFWlPjLs3Ql+2FTordOIHDul6X11n2ZWjq8lCWp28dKZJRZa
59vN4aGYsOA=
=CQeq
-----END PGP SIGNATURE-----