Netopia DSL Router Vulnerability

BID:1177

Info

Netopia DSL Router Vulnerability

Bugtraq ID: 1177
Class: Access Validation Error
CVE:
Remote: Yes
Local: Yes
Published: May 16 2000 12:00AM
Updated: May 16 2000 12:00AM
Credit: This vulnerability was posted by Stephen Friedl <[email protected]> to the Bugtraq mailing list on Mon, 8 May 2000.
Vulnerable: Netopia R-series routers 4.6.2
Not Vulnerable:

Discussion

Netopia DSL Router Vulnerability

All R-series platforms with firmware between 4.3.8 and 4.6.2 (inclusive) allow users who already have access to the router to modify SNMP tables which they should not be able to access. The router has a command-line mode that is reached by typing control-N after the user has passed the intial login test. At the "#" prompt one can then do most management of the device. This includes the setting of SNMP community strings in spite of the limitation imposed by the administrator.

The following devices are confirmed as vulnerable:

R2020 Dual Analog Router
R3100 ISDN Router
R3100-I ISDL Router
R3100-T IDSL router for Covad
R3232-I IDSL 4-IMUX router
R5100 Serial router
R5200 DDS router
R5220 DDS router w/ V.90 backup
R5300 T1 router
R5320 T1 router w/ V.90 backup
R5331 T1 router w/ ISDN backup
R7100-C SDSL router
R7120 SDSL Router w/int V.90
R7131 SDSL router w/int ISDN
R7171 SDSL 2x IMUX router
R7200-T SDSL router for Covad
R7220 SDSL router w/int.V.90
R7231 SDSL router w/int ISDN
R9100 Ethernet-to-ethernet Router

Exploit / POC

Netopia DSL Router Vulnerability

As detailed in the original message on this subject (list in full in the Credit section):

# set snmp community RO wookie
or
# set snmp community RW wookie

The exploit can only be attempted by those with existing access login to the device.

Solution / Fix

Netopia DSL Router Vulnerability

Solution:
Download version 4.6.3 of the firmware.


Netopia R-series routers 4.6.2

References

Netopia DSL Router Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report