Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

2Wire BT2700HGV - Port 50001 open ... how to close it - fails security audit

stripey
Member

on ‎06-10-2012 02:46 PM

We have a 2wire as follows, how can we close it/disable it?

thanks in advance

 

Model:     BT2700HGV
Hardware Version:     2701-100589-005
Firmware Version:     6.3.9.63-plus.tm

 

It is failing a security audit due to port 50001 being open for TCP (was used by 2wire for remote diagnostics but is now a know security issue):

Title: TLS Protocol Session Renegotiation Security Vulnerability Impact: The vulnerability allows man-in-the-middle attack.

Resolution: For OpenSSL, [http://www.openssl.org/source/] upgrade to 0.9.8l or higher. For Microsoft IIS web servers, install the appropriate patch available through [http://technet.microsoft.com/en- us/security/bulletin/MS10-049] Microsoft Security Bulletin 10-049. For other types of products, consult the product documentation.

Risk Factor: Medium/ CVSS2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) CVE: CVE-2009-3555 BID: 36935

0 Kudos
25 REPLIES 25

TheMightyBox
Member
In response to Ham1979

‎09-01-2013 02:10 PM - edited ‎09-01-2013 02:31 PM

I contacted Security Metrics and they've told me the problem isn't that the port is open, the problem is that it doesn't allow secure renegotiation on the port.

 

You can test it with nmap and openssl

 

nmap -sV -PN -p50001 <your-ip-address>

 

which will tell you it's running OpenSSL, then use openssl s_client command:

 

openssl s_client -connect <your-ip-address>:50001

 

and that'll tell you: Secure Renegotiation IS NOT supported

 

OpenSSL advise against using connections that don't support renegotiation because it's been used in attacks http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION

 

So when BT say it's an error with Security Metrix they are wrong.

 

We solved the issue by replacing the router, and regained our PCI compliance.

 

 

 

0 Kudos

Ham1979
Member
In response to TheMightyBox

on ‎09-01-2013 04:26 PM

Thanks for the update

 

Can I ask what router you replaced the BT one with and do you just replace the wireless hub part or both boxes?

0 Kudos

TheMightyBox
Member
In response to Ham1979

on ‎09-01-2013 05:06 PM

We used a Billion BiPAC 7300N http://www.billion.com/product/wireless/bipac7300n-wireless-draft-11n-ADSL2-broadband-router.html

 

That replaced the BT router, not sure what you mean by "both boxes" as the BT router was a single box that was a router with wireless capabilities, as is the Billion box.

0 Kudos

adrianc
Master User
In response to Ham1979

on ‎10-01-2013 12:07 AM

Hi,

 

I'm guessing from the fact that you mentioned two boxes that you have BT Infinity? If that's the case, then you don't need to replace the white box with the Openreach logo, just the router.

 

HTH,


Adrian

0 Kudos

jlanaway
Member
In response to adrianc

on ‎28-02-2013 02:46 PM

I have hit the same issue regarding PCI compliance using Trustwave (for Cardsave) - has anyone managed to find a way to resolve this issue, without buying a new router?

 

Thanks, James

0 Kudos

Ham1979
Member
In response to jlanaway

on ‎11-03-2013 04:24 PM

From what everyone has said, the only way to fix it is to replace BT Router and get a compliant one

 

Apalling service from BT just to blame the QAS and not take the matter seriously for their small business customers

0 Kudos