Avatar of btm02sf
btm02sf asked on

Security Scan Failed on Port 69 - UDP - TFTP Daemon

I have a business customer who is using a DLink DIR-825 router. Due to the nature of their transaction, the customer needs to be PCI compliant, and is using Security Metrics (securitymetrics.com) to scan their internet port for vulnerabilities.

The security scan has failed for port 69 - UDP for TFTP. Below are the details from the scan result:

Description: TFTP Traversal Arbitrary File Access

Synopsis: The remote TFTP server can be used to read arbitrary files on the remote host

Impact: The TFTP (Trivial File Transfer Protocol) server running on the remote host is vulnerable to a directory traversal attack that allows an attacker to read arbitrary files on the remote host by prepending their names with directory traversal sequences.

Data Received: SecurityMetrics was able to access a system file via the TFTP server using each of the following requests : /etc/passwd ../../../../../../../../../../etc/passwd

Resolution: Disable the remote TFTP daemon, run it in a chrooted environment, or filter incoming traffic to this port.

Risk Factor: High/ CVSS2 Base Score: 10.0

The router has the latest version of firmware/hardware. Last night I went into the advanced settings for the DLink Router, clicked on virtual server, selected port 69 and UDP and selected schedule = Never and Inbound Filter = Deny All

Yet, the security scan has failed.

I am not sure what else should I change/configure on this router in order to disable the TFTP process. It is certainly not needed, so it can be terminated any time.

Any ideas and assistance would be very much appreciated. Thank you.
Networking Hardware-OtherRoutersHardware Firewalls

Avatar of undefined
Last Comment
btm02sf

8/22/2022 - Mon
strivoli

IMO: the schedule should be ALWAYS not NEVER.
You want the 69 UDP port to be ALWAYS DENIED.
ASKER
btm02sf

Hi strivoli. I just changed it to ALWAYS, saved settings. I am attaching two screenshots for your review, in case you might see something else that is wrong.Virtual Server Restriction Port restriction for UDP 69
strivoli

Thank you. After you've set it as ALWAYS, did you run a new Security Scan?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
btm02sf

Not yet. I was hoping that you will respond to let me know if anything else needs to be changed. I will call Security Metrics now, and ask them to initiate a new security scan. It takes about 4-5 hours to complete, and when done, you get an email with the results, pass or fail. So, I will not know the outcome until tomorrow morning. I will report back here sometimes later tomorrow, with the new scan results. Thank you for your fast response.
masnrock

Have you checked all of your port forwarding rules? If port 69 was open, I would be wondering on what machine. You should not need to set a blocking rules.
ASKER
btm02sf

Strivoli, even with the change made last night, the security scan failed.
Masnrock, there are no port forwarding rules set on the DLink 825 router.
I have no ideas left other than possibly changing the router with another brand to see if that will address the issue. I'll wait a little in case there will be other suggestions over the next couple of days.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
strivoli

Is it (the DIR-825) "US Revision A", B or C?
ASKER CERTIFIED SOLUTION
strivoli

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
btm02sf

Strivoli, I am not sure what revision it is as I  not in the client's office at this time. You have a good point about getting a stronger router. This is the first time when I am running into this type of problem. I will definitely look at better suited routers for business. I will go to the client's office later today and check the revision as well. Thank you.
strivoli

A picture taken with your smartphone of the bottom side of the DIR-825 would be great. That should show all infos regarding the DIR-825 itself.
Thank you.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
masnrock

I don't know the clients budget, but you could recommend something like a sonicwall, which is designed for small businesses. Try port scanning the network yourself from another location and see what port 69 does without your extra rule. Also, is remote administration turned on or off on the router?
masnrock

Turn on the DMZ and set an ip address that is not in use. No port forwarding rules needed, and no money spent!
ASKER
btm02sf

My apologies to all who responded here. I was out of town for almost three weeks on vacation, and tried to stay away from computers, and electronics as much as possible. After discussing this situation with someone who works in the network security, and after reviewing all options of DIR-825 router, there was not much to fixed with the vendor firmware.

I was advised with two options:

1. To flash the router with open source firmware from http://www.dd-wrt.com/site/index or from https://openwrt.org/ and to reconfigure the router from scratch. The individual whom I discussed is a highly regarded network security expert and trainer, who deals with large corporations, as well government and law enforcement agencies. He highly recommended one of the two sites, as they offer way more capabilities than standard firmware routers from various vendors.

2. To simply replace the DLink router with another router with better security features. I took my own Linksys EA3500 router to test it. Reconfigured it at the customer site, and called Security Metrics to initiate a new scan. They did, and I just got the results back: the Linksys EA3500 passed their stringent scanning, so this is a model which I will use over the weekend to resolve the situation at my client.

As far as the old router is concerned, if time will allow it over the next few weeks, I will simply go to the two site mentioned above, to learn how to use the open source firmware, and possibly, to test again the DIR-825 with Security Metrics.

Hopes this helps. Thank you for your patience in getting back with more information.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.