Author Topic: RRC1258 Possible Vulnerability  (Read 4705 times)

g4swx

  • Jr. Member
  • **
  • Posts: 56
    • View Profile
    • Email
RRC1258 Possible Vulnerability
« on: 2018-04-19, 12:20:44 »
Hi Folks,

I have been a RRC1258 user for over 7 years with 5 systems in use on a remote site.
I have changed all of the default port numbers on the RRC1258 and am using 2.91 software on all systems. I use a Cisco 1800 series router on my internet connection, which has a fixed IP address, with standard NAT and firewall rules for port translation.

I also have a 18Mbps radio link directly into the remote ststion LAN.
On Monday 16th the RRC1258 controlling one of the radios was being reset by something. The radio went off (checked on CCTV) and the uptime counter on the RRC1258 reset to zero.
I drove to the radio site and a lot of work followed. I changed and checked the PSU which is an obvious first step. In the end I cloned the RRC1258 settings and put another RRC1258 together with another radio in place. I then changed the Netgear LAN switch.

I was amazed that with a different RRC1258 that the fault continued after a random 3-30min interval and the RRC1258 reset itself. Therefore I changed the RRC1258 internal IP address to hide it from the Internet, all was fine and has been since!

I then took the original RRC1258 and ran it, stand alone, on the LAN with the original IP address so that the key ports could be seen on the Internet.
This RRC1258 continued to be reset at random, 2-30min intervals. None of the other RRC1258 systems, radio or control, most of which have Internet visible ports, were impacted.
This behaviour continued for another 4 hours. Switching off all NAT on the firewall stopped the problem. This verified that I had not got a problem on the LAN.

On the following days I left the RRC1258 as a 'tethered lamb' but with more extensive monitoring on the firewall. Unfortunately the attack had stopped.
Apart from cracking the user name and password combination on the RRC1258 web interface which is possible but not that likely the only other possibility is that a TCP or UDP attack (I have taken care only to open TCP or UDP ports and NAT as required) will reset a RRC1258.

So my questions are:
Has anybody seen anything similar - ie RRC1258 resetting?
Has anybody tried penetration testing the open ports on a RRC1258?

73
John G4SWX
(retired network secirity engineer)