Security Scan Failed on Port 69 - UDP - TFTP Daemon

I have a business customer who is using a DLink DIR-825 router. Due to the nature of their transaction, the customer needs to be PCI compliant, and is using Security Metrics (securitymetrics.com) to scan their internet port for vulnerabilities.

The security scan has failed for port 69 - UDP for TFTP. Below are the details from the scan result:

Description: TFTP Traversal Arbitrary File Access

Synopsis: The remote TFTP server can be used to read arbitrary files on the remote host

Impact: The TFTP (Trivial File Transfer Protocol) server running on the remote host is vulnerable to a directory traversal attack that allows an attacker to read arbitrary files on the remote host by prepending their names with directory traversal sequences.

Data Received: SecurityMetrics was able to access a system file via the TFTP server using each of the following requests : /etc/passwd ../../../../../../../../../../etc/passwd

Resolution: Disable the remote TFTP daemon, run it in a chrooted environment, or filter incoming traffic to this port.

Risk Factor: High/ CVSS2 Base Score: 10.0

The router has the latest version of firmware/hardware. Last night I went into the advanced settings for the DLink Router, clicked on virtual server, selected port 69 and UDP and selected schedule = Never and Inbound Filter = Deny All

Yet, the security scan has failed.

I am not sure what else should I change/configure on this router in order to disable the TFTP process. It is certainly not needed, so it can be terminated any time.

Any ideas and assistance would be very much appreciated. Thank you.
LVL 1
btm02sfAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

strivoliCommented:
IMO: the schedule should be ALWAYS not NEVER.
You want the 69 UDP port to be ALWAYS DENIED.
0
btm02sfAuthor Commented:
Hi strivoli. I just changed it to ALWAYS, saved settings. I am attaching two screenshots for your review, in case you might see something else that is wrong.Virtual Server Restriction Port restriction for UDP 69
0
strivoliCommented:
Thank you. After you've set it as ALWAYS, did you run a new Security Scan?
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

btm02sfAuthor Commented:
Not yet. I was hoping that you will respond to let me know if anything else needs to be changed. I will call Security Metrics now, and ask them to initiate a new security scan. It takes about 4-5 hours to complete, and when done, you get an email with the results, pass or fail. So, I will not know the outcome until tomorrow morning. I will report back here sometimes later tomorrow, with the new scan results. Thank you for your fast response.
0
masnrockCommented:
Have you checked all of your port forwarding rules? If port 69 was open, I would be wondering on what machine. You should not need to set a blocking rules.
0
btm02sfAuthor Commented:
Strivoli, even with the change made last night, the security scan failed.
Masnrock, there are no port forwarding rules set on the DLink 825 router.
I have no ideas left other than possibly changing the router with another brand to see if that will address the issue. I'll wait a little in case there will be other suggestions over the next couple of days.
0
strivoliCommented:
Is it (the DIR-825) "US Revision A", B or C?
0
strivoliCommented:
I must ask when I don't understand... your client stores valuable data, must be complaint to security rules and runs security scans. All that is good and anyone should do that, but... why does he use a "Home product" such as the DIR-825?

I think D-Link is a nice producer but as many, it has Home and Business lines of products. Each one is targeted to a specific kind of market: Home requires "cheap" products and might accept weak security, Business cannot accept weak security and might accept higher prices.

Besides the issue regarding the TFTP port, I would in any case consider a stronger (even from D-Link) solution.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btm02sfAuthor Commented:
Strivoli, I am not sure what revision it is as I  not in the client's office at this time. You have a good point about getting a stronger router. This is the first time when I am running into this type of problem. I will definitely look at better suited routers for business. I will go to the client's office later today and check the revision as well. Thank you.
0
strivoliCommented:
A picture taken with your smartphone of the bottom side of the DIR-825 would be great. That should show all infos regarding the DIR-825 itself.
Thank you.
0
masnrockCommented:
I don't know the clients budget, but you could recommend something like a sonicwall, which is designed for small businesses. Try port scanning the network yourself from another location and see what port 69 does without your extra rule. Also, is remote administration turned on or off on the router?
0
masnrockCommented:
Turn on the DMZ and set an ip address that is not in use. No port forwarding rules needed, and no money spent!
0
btm02sfAuthor Commented:
My apologies to all who responded here. I was out of town for almost three weeks on vacation, and tried to stay away from computers, and electronics as much as possible. After discussing this situation with someone who works in the network security, and after reviewing all options of DIR-825 router, there was not much to fixed with the vendor firmware.

I was advised with two options:

1. To flash the router with open source firmware from http://www.dd-wrt.com/site/index or from https://openwrt.org/ and to reconfigure the router from scratch. The individual whom I discussed is a highly regarded network security expert and trainer, who deals with large corporations, as well government and law enforcement agencies. He highly recommended one of the two sites, as they offer way more capabilities than standard firmware routers from various vendors.

2. To simply replace the DLink router with another router with better security features. I took my own Linksys EA3500 router to test it. Reconfigured it at the customer site, and called Security Metrics to initiate a new scan. They did, and I just got the results back: the Linksys EA3500 passed their stringent scanning, so this is a model which I will use over the weekend to resolve the situation at my client.

As far as the old router is concerned, if time will allow it over the next few weeks, I will simply go to the two site mentioned above, to learn how to use the open source firmware, and possibly, to test again the DIR-825 with Security Metrics.

Hopes this helps. Thank you for your patience in getting back with more information.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.