Re: Bastille and Comcast CVE IDs

On 2017-10-02 12:53, Kurt Seifried wrote:

> 1) Is this web server documented? (if not, stronger case for CVE)
Apparently not.

> 2) Is this web server needed to admin the device? E.g. my
> dsl/cablemodems both have a web server running on port 80/443, which
> show me a status page and allow login/admin if I access the page. Or
> is this web server running on a non-standard port for whatever
> purposes? (If yes, stronger case for a CVE)
Unknown, from what I've read I assume it has some intentional purpose, UPnP InternetGatewayDevice.

So do devices that have intentional web servers/services running for functional purposes need to document them?  Or just say "device supports UPnP?"

> 3) can this web server be disabled, in the sense of CAN it be
> disabled (is there a config switch for this), and/or does disabling
> it break the product? Is it needed? (If it can't be disabled then a
> stronger case for the CVE, conversely if not needed a stronger case
> as well)
Disable UPnP.

> 4) can the web server be contacted? (e.g. is it on localhost only,
> the LAN (e.g. semi trusted) interface only, or the WAN interface
> (e.g. the Internet)
Not remote/internet, some sort of internal LAN/WLAN.

So, I see "device runs web server as part of UPnP, on "internal" network(s) only."  Normal function, no specific vulnerability.  Yes, can be used by attacker (who has gained access via other means) to exfil the config.

 - Art