ADB Pirelli Home routers in Spain and Argentina affected by critical flaws

The Spanish security researcher Eduardo Novella has disclosed details of two critical vulnerabilities affecting a specific ADB Pirelli home wireless router.

The security researcher at Dutch security audit firm Fox-IT, Eduardo Novella, has discovered two critical vulnerabilities affecting a model of ADB Pirelli home wireless router.

Novella decided to publicly disclose the vulnerabilities because the device manufacturer and the companies that are distributing the router on the market have ignored his reports.

This specific router, ADB Pirelli ADSL2 data gateway PDG A4001N, is provided by Spanish broadband provider Movistar and Argentinian ISP Arnet to their customers.

Novella discovered the first vulnerability in the Pirelli router early 2013, and he ethically reported it to both Pirelli and Movistar.

The researcher explained that it is very easy to exploit the flaw as reported in the official advisory:

“These routers are vulnerable to fetch HTML code from any IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information,” he said.

The vulnerability coded as CVE-2015-0554 is an information disclosure flaw that could be exploited by an attacker to completely control the router settings and allow remote monitoring on home networks.

The vulnerability is serious because the attackers can exploit it to compose a botnet to run illegal activities (i.e. run a DDoS attack against a specific target.

The researcher also published the PoC code that can be used to extract session keys, the Wi-Fi’s network password, reboot the device, etc.

Novella suggests to disable the remote connection for secure the Pirelli router, another option for the owner of the Pirelli routers is to update the device’s firmware or install a third-party one (i.e. OpenWRT or DDWRT).

The second vulnerability discovered by Novella, coded CVE-2015-0558, could be exploited by an attacker to reverse-engineer the Pirelli router’s firmware and extract the default key generation algorithm and, consequently, to determine the device’s default Wi-Fi encryption keys.

Pierluigi Paganini

(Security Affairs –  ADB Pirelli, Hacking)