06-10-2012 02:46 PM
We have a 2wire as follows, how can we close it/disable it?
thanks in advance
Hardware Version: 2701-100589-005
Firmware Version: 18.104.22.168-plus.tm
It is failing a security audit due to port 50001 being open for TCP (was used by 2wire for remote diagnostics but is now a know security issue):
Title: TLS Protocol Session Renegotiation Security Vulnerability Impact: The vulnerability allows man-in-the-middle attack.
Resolution: For OpenSSL, [http://www.openssl.org/source/] upgrade to 0.9.8l or higher. For Microsoft IIS web servers, install the appropriate patch available through [http://technet.microsoft.com/en- us/security/bulletin/MS10-049] Microsoft Security Bulletin 10-049. For other types of products, consult the product documentation.
Risk Factor: Medium/ CVSS2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:N/I/A) CVE: CVE-2009-3555 BID: 36935
08-10-2012 02:12 PM
There is no way to close this portit is open for firmware upgrades I believe. Certain other models also use 3479. The only option if this is required to be closed, would be to buy a 3rd party router.
09-10-2012 07:14 PM
I understand that BT have raised this issue with 2Wire (Pace) and are awaiting a fix from them, is there are details of when this might be available?
09-10-2012 07:46 PM
I was not aware this had been raised, its been queried in the past and we'd been informed it was open by design, certain models also have port 3479 open too.
I'll doublecheck this for you first thing tomorrow, incase that is the case, but last I heard it was open by design.
I'll post up tomorrow at some point and let you know.
10-10-2012 01:04 PM
I've had a discussion with the other guys here and unless this has been raised at a higher level, which I don't imagine it has.
The only request we are aware of that was raised to 2wire recently was to try and get a disclosure to say there was no security risk from port 50001 being open. However I've not heard of any plans to close the port. They would need it open to upgrade the firmware.
24-10-2012 10:36 PM - edited 24-10-2012 10:43 PM
Is there any further news on this? Rang the BT Helpdesk and they were unaware of it. I was advised to buy a specific router by BT that doesn't work. Can anyone reccommend an adsl2 router to do the job that would replace the 2wire router. We have a static IP and two V-IP phones running through the router and a BT Versatility Broadband module.
25-10-2012 10:33 AM
Did you find a solution Stripey?
BT have told me I need to purchase a router and install it. We have V-IP phones and a static IP. It's not, quite frankly, the best thing for a business account.
Can anyone reccommend a router that can support
- VOIP and V-IP phones
- Port Forwarding
- Closing all ports (inc. 50001)
30-10-2012 12:33 PM
We too have this issue and have been told by BT that they are currently looking into this. They suggested a third party router but this is something I would only do as a very last resort. We will be charged £50 per month by HSBC's Security Metrics if we fail to pass the scan, so we are keen to get this resolved asap.
Are there any updates from BT yet?
03-11-2012 11:41 AM
Last I heard on this was, BT have no intention of closing the port, however, most security companies just need to verify that the port has no security risks, one such company has recently tested this and found this to be the case, it needs to be tested on a wider scale, but if such companies become satisfied that there are no risks with this port the security checks should stop failing.
12-11-2012 11:07 AM
I don't think it's a matter of getting it tested on a wider scale, the various security companies have got it right.
We currently have a fail on our automated scans, despite our website being fine, all due to our broadband connection having an open port on the router that I cannot close.
I've now found out that open port gives a third party the ability to alter the router without my knowledge, possibly introducing a man-in-the-middle attack, I don't see how anyone could argue that isn't a major security flaw.
Can anyone recommend an alternative router?