Link to home
Start Free TrialLog in
Avatar of btm02sf
btm02sf

asked on

Security Scan Failed on Port 69 - UDP - TFTP Daemon

I have a business customer who is using a DLink DIR-825 router. Due to the nature of their transaction, the customer needs to be PCI compliant, and is using Security Metrics (securitymetrics.com) to scan their internet port for vulnerabilities.

The security scan has failed for port 69 - UDP for TFTP. Below are the details from the scan result:

Description: TFTP Traversal Arbitrary File Access

Synopsis: The remote TFTP server can be used to read arbitrary files on the remote host

Impact: The TFTP (Trivial File Transfer Protocol) server running on the remote host is vulnerable to a directory traversal attack that allows an attacker to read arbitrary files on the remote host by prepending their names with directory traversal sequences.

Data Received: SecurityMetrics was able to access a system file via the TFTP server using each of the following requests : /etc/passwd ../../../../../../../../../../etc/passwd

Resolution: Disable the remote TFTP daemon, run it in a chrooted environment, or filter incoming traffic to this port.

Risk Factor: High/ CVSS2 Base Score: 10.0

The router has the latest version of firmware/hardware. Last night I went into the advanced settings for the DLink Router, clicked on virtual server, selected port 69 and UDP and selected schedule = Never and Inbound Filter = Deny All

Yet, the security scan has failed.

I am not sure what else should I change/configure on this router in order to disable the TFTP process. It is certainly not needed, so it can be terminated any time.

Any ideas and assistance would be very much appreciated. Thank you.
Avatar of strivoli
strivoli
Flag of Italy image

IMO: the schedule should be ALWAYS not NEVER.
You want the 69 UDP port to be ALWAYS DENIED.
Avatar of btm02sf
btm02sf

ASKER

Hi strivoli. I just changed it to ALWAYS, saved settings. I am attaching two screenshots for your review, in case you might see something else that is wrong.User generated image User generated image
Thank you. After you've set it as ALWAYS, did you run a new Security Scan?
Avatar of btm02sf

ASKER

Not yet. I was hoping that you will respond to let me know if anything else needs to be changed. I will call Security Metrics now, and ask them to initiate a new security scan. It takes about 4-5 hours to complete, and when done, you get an email with the results, pass or fail. So, I will not know the outcome until tomorrow morning. I will report back here sometimes later tomorrow, with the new scan results. Thank you for your fast response.
Have you checked all of your port forwarding rules? If port 69 was open, I would be wondering on what machine. You should not need to set a blocking rules.
Avatar of btm02sf

ASKER

Strivoli, even with the change made last night, the security scan failed.
Masnrock, there are no port forwarding rules set on the DLink 825 router.
I have no ideas left other than possibly changing the router with another brand to see if that will address the issue. I'll wait a little in case there will be other suggestions over the next couple of days.
Is it (the DIR-825) "US Revision A", B or C?
ASKER CERTIFIED SOLUTION
Avatar of strivoli
strivoli
Flag of Italy image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btm02sf

ASKER

Strivoli, I am not sure what revision it is as I  not in the client's office at this time. You have a good point about getting a stronger router. This is the first time when I am running into this type of problem. I will definitely look at better suited routers for business. I will go to the client's office later today and check the revision as well. Thank you.
A picture taken with your smartphone of the bottom side of the DIR-825 would be great. That should show all infos regarding the DIR-825 itself.
Thank you.
I don't know the clients budget, but you could recommend something like a sonicwall, which is designed for small businesses. Try port scanning the network yourself from another location and see what port 69 does without your extra rule. Also, is remote administration turned on or off on the router?
Turn on the DMZ and set an ip address that is not in use. No port forwarding rules needed, and no money spent!
Avatar of btm02sf

ASKER

My apologies to all who responded here. I was out of town for almost three weeks on vacation, and tried to stay away from computers, and electronics as much as possible. After discussing this situation with someone who works in the network security, and after reviewing all options of DIR-825 router, there was not much to fixed with the vendor firmware.

I was advised with two options:

1. To flash the router with open source firmware from http://www.dd-wrt.com/site/index or from https://openwrt.org/ and to reconfigure the router from scratch. The individual whom I discussed is a highly regarded network security expert and trainer, who deals with large corporations, as well government and law enforcement agencies. He highly recommended one of the two sites, as they offer way more capabilities than standard firmware routers from various vendors.

2. To simply replace the DLink router with another router with better security features. I took my own Linksys EA3500 router to test it. Reconfigured it at the customer site, and called Security Metrics to initiate a new scan. They did, and I just got the results back: the Linksys EA3500 passed their stringent scanning, so this is a model which I will use over the weekend to resolve the situation at my client.

As far as the old router is concerned, if time will allow it over the next few weeks, I will simply go to the two site mentioned above, to learn how to use the open source firmware, and possibly, to test again the DIR-825 with Security Metrics.

Hopes this helps. Thank you for your patience in getting back with more information.