Share
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
### Device Details  
Vendor: Actiontec (Telus Branded, but may work on others)  
Model: T2200H  
Affected Firmware: T2200H-31.128L.08  
Device Manual:  
http://static.telus.com/common/cms/files/internet/telus_t2200h_user_manu  
al.pdf  
  
Reported: Sept 2018  
CVE: Not needed since update is pushed by the provider.  
  
The Telus Actiontec T2200H is bonded VDSL2 modem. It  
incorporates 2 VDSL2 bonded links with a built-in firewall, bridge mode,  
802.11agn wireless, etc.  
  
### Summary of Findings  
The wireless extenders use DHCP Option 125 to include device details  
such as model number, manufacturer, and serial number. By forging a  
special DHCP packet using Option 125, an attacker can obtain the device  
serial number.  
  
Once he or she has this, the device’s admin web UI password can be reset  
using the web UI “forgot password” page to reset to a known value.  
  
### Mitigation  
Do not use the serial number to initiate password resets.  
  
The serial number has other internal uses in the Web UI, which means  
there’s a higher chance of it being leaked inadvertently over the  
network. By using a different value, this risk can be mitigated since  
the reset value is only used for that purpose.  
  
  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCAAdFiEE/rRUDraOzqmrp8tZoyRid8jQfpkFAlz9UFYACgkQoyRid8jQ  
fpkcfg/+PGb6cqsFln3ON6Z2DDWDr1e6SuYunj6cUvsM6gwjPFavNNSw4nCOa8HI  
hmL15anYEIF3Bkrvw3NDgf3n+8hRtMC7E4EewZyW1gpYeqRFZp+HPUhRMptaoy25  
fMZOnzjIt4DKV8EueXdbvGK/ouGZa9TkK5ZMqskQR/FkhC9lytSFblz9l6ZMKEHB  
kGn0She5eTFx5U+pOQf/2tmJGUDZRka9OGA+RxXYGPRCwlElqS0QHcRnLTXo3zE4  
iNACPDiVLAO/0Q61GEI6hgbcMFzWZZddPmvaY6ii3nXCmTxjJ7bWOKMBsBZwKCGe  
agXt7n3UvVY5LGFGG1q/FB1/+JvcnOmUh04FM7uhNgA+2vaQGjCQeaWaSMbkAggh  
Eoe6mKD2yA52tn7+RDPY1LOpYWBFXsNWCAlErsCOMyD/4CI3XyoNQyxvW0Icw2GZ  
PASDnOx9vBeqAprCVYHUsBy68OZvbRZZpzFTqiEe4ksiTCUxQZC2Xx5AI0+2wm0x  
Akw7s3mfmPywvEjuUCCxLzZlK1pHcVPnI0ngGNNN2/Tuo7fJaCEF2cELmKM6sDIP  
1DVInZhEZBV8bpEJucIl7IN/zFbi+Pkq37MPfoKKeOkKfF+TvYGT3/okFplj4Z0s  
kIhsBD+M/YHAz9vYDFgC13ro3ph79HExwd63ctmirGBQgjeEE4Q=  
=fNG3  
-----END PGP SIGNATURE-----