TOPIC: Tomato Users (Seeking advice)

oracle wrote: phase out na po ba ang 5354u? ano po pwede pamalit na tomato?

Meron pa rin ata sa piling cdrking stores. Actually kung gusto mo marami kang bilhin pwede mong tawagan si cdrking tas sabihin mo sa kanila mag oorder ka ng 6pcs or 12pcs pwede tatawagan ka nila pag may bagong bagsak na.

anyway po ba pwede paganahin yung qos with multi wan? tnx

^

Basta yung tomato mo na firmware eh supported ang multi wan gagana naman kasi yan matik. Baka you are trying to make it work sa tomato firmware version na pang single wan lang?

Sa mga naka tomato dyan at may chinese made wifi cctv camera beware may exploit akong nakita, nakakapasok sila sa network mo. Immediate fix ay turn off dhcp and go for static ip sa lahat ng devices sa network mo. Yun lang para informed kayo.

Any link to the CVE? I-static lahat ng IP. Kung meron kang 5 or more devices, parang hindi magandang solution yan.

Kung kaya i-exploit ang tomato via DHCP, perhaps you need to think about discarding it?

^


Wala namang problema sa lanshop environment kung i static ip mo mga pc. Magkakaproblema ka lang kung nag bebenta ka ng wifi, tsaka yung exploit eh dahil lang dun sa chinese made na wifi cctv na nagriride on sa dhcp range mo. Karamihan naman ng cctv gamit sa shop eh may dvr at hindi wifi so chill chill lang. Ganun talaga mga hacker they can try pero nasusulusyunan naman eh basta ma identify mo lang :)

Matyaga ka kung iisa-isahin mong mag input ng static IP sa mga clients. Kelangan may listahan ka kung anong IP na ang na-allocate at kanino. Double check para masiguro na walang conflict. Ang ideal lang na static, yung servers, printers at routers. Ganun pa man, pwede ka gumawa ng DHCP reservation for those.

Paano kung yung exploitable DHCP traffic eh maki-piggy back sa, say, http o smtp traffic o even ICMP (ping)? Will it trigger the vulnerability?

Pwede paki-post yung CVE link para mabasa din namin?

^


Wala akong CVE link ewan ko kung reported na ba to o ako palang nakadiscover now. Di naman mabusisi mag static ip ng mga client pc usually nasa isang range lang naman yan kunyari may 20 units ka bale static mo nyan 192.168.1.3-192.168.1.23 so madali lang naman.


Once na off mo na ang dhcp mo ala na syang mapapasukan. You need to have a valid IP address to start a tcp/udp process. Di sila makakakuha ng IP add na bakante kasi nga slotted na sya. But in a unlikely scenario na magpipiggy back sila sa isang static ip na nasa network ko makikita namin sa network monitor ang unusual spike sa gamit ng net and as usual sa tomato may qos rules so sa kung ano mang ports gamit nila rekta yan sa CRAWL classification meaning gapang yan. Pano kung sa usual port 80 and 443 ang daloy? No problem makikita naman ang destination ip add ng packets so pwede mo igogel kung legit ba yan and/or block the shit out of that ip add block para iyak iyak din sila hehe.

Pasensya na, medyo naco-confuse lang ako. As per your previous reply, ang issue na ito affects wireless LAN. Tapos concern ka na pwede ma-trigger ang vuln via DHCP packets. Well, kung authenticated at associated ang isang wireless LAN in the first place, getting an IP is less of your concern. They can just assign any static IP within your range and they're good to go. Ang katapat nito sa wired LAN, is they are able to physically plug in their ethernet cable sa switch. The mere fact that they are able to authenticate and associate with your Access Point should be your immediate concern.

And they don't need to go anywhere, they just need to go direct to your router interface and trigger the said vuln.

Unusual spike sa traffic? DHCP packets are really, really small and not enough to cause any spike at all.

Pasensya na, gusto ko lang din malinawan dito.

Pa OT po mga sir.

Try mo search sa shodan search engine mga vulnerable iot devices baka kasama dyan yung cctv mo.

www.shodan.io/

CVE-2018-1149
CVE-2018-1150
CVE-2018-9995

Infosec's on securing cctv against zero-day-attack.

resources.infosecinstitute.com/security-assessment-cctv/#gref