Phoenix Sistemi Security reports several security problems in ELSA Lancom 1100 Office. An attacker can steal the RAS password, change routing tables, and place a modified firmware to sniff data.
ELSA Lancom 1100 Office has to be configured by browser on an HTTP connection over port 80 on the router IP. An intruder can connect with a browser to the router ip (Intranet or Internet) and change the routing tables or steal the RAS password that is stored in a field covered with asterisks. The passwords are stored in clear text and can be seen by editing the html source.
That is not all; the upgrade of the firmware could be done remotely just going in its appropriate page placed in the configuration table, and an attacker can upgrade a customized firmware that will sniff all the data passing by the router.
Solutions & Recommendations:
Changing the configuration port is a good idea to prevent random attacks. Another good idea would be to give access privileges to first-time configuration just to an internal ip addresses. The RAS password should be stored in a file different from the html, or that part of configuration could be done with a JavaScript.
An easy user-side solution could be to install a firewall with appropriate rules, so that no one from the Internet would have access to it.
