Oman’s stock exchange has fixed a serious router security misconfiguration after months of apparently ignoring the pleas of the researcher who tried to report it.
The technical aspect of this story dates back to a leaked list of 33,138 telnet credentials that appeared on Pastebin last June (telnet being an aging, vulnerable protocol once widely used by admins to manage network systems).
Although it later emerged that only 1,775 of these still worked, one that did was for a Huawei router that belonged to Oman’s Muscat Securities Market (MSM), as Dutch GDI Foundation researcher Victor Gevers discovered.
An enterprise model, this was running a telnet interface accessible with a default password and username of ‘admin’. Anyone finding this would have had admin-level privileges on a key piece of network infrastructure.
“Owning the network’ is a breeze,” Gevers told tech news site, ZDNet.
There’s no evidence that anyone did, but finding it using a port scanner wouldn’t have been a difficult exercise. Once located, default credentials are the first thing an attacker would try.
Gevers reportedly set about trying to contact the owners of each vulnerable telnet device but, in the case of the Omani Huawei router, failed to get anywhere.
He eventually contacted ZDNet with his story but even their help failed to make any headway.
As ZDNet says:
Several attempts by both Gevers and ZDNet over the past few months to contact Omani authorities and officials at the Omani consulate in New York by phone and email were unsuccessful.
Eventually, in the last few weeks, someone inside MSM noticed the router problem and (most likely) disabled external telnet access completely.
One could extract from this story a moral about treading carefully around things like telnet or changing default credentials, or simply using something more secure such as SSH.
But the even bigger problem in this incident was that the organisation using vulnerable equipment appears to have had no channel to receive bad news.
Security throws up lots of difficult problems but this, surely, should never be one of them.