cancel
Showing results for 
Search instead for 
Did you mean: 

Security Holes on the Hitron CGN2-ROG

Snarkel
I've Been Here Awhile

I am very frustrated with this modem/router. It responds to requests on ports 135 (RCP) and 445 (Microsoft Directory Services). These ports are shown as "Closed" when a request for the service is made (this is about as bad as knocking on a door and have somone on the other side saying "I'm not home"). Setting it in bridged mode leaves even more ports exposed such as 80 (HTTP). This modem/router is a complete failure when it comes to security. Already contacted their tech support and they can't do anything about it. Note, this is the router itself responding, not the PC.

 

This is gross incompetence

 

 

***edited labels***

16 REPLIES 16

Re: Security Holes on the Hitron CGN2-ROG

BladeRunR
I've Been Here Awhile

In the last week I have noticed that port 135 & port 445 are now exposed to the internet. This is a recent change that is on rogers end. I verified this by by-passing my router & connecting my modem directly to my computer. This is verified by running a scan on my ip address at www.grc.com. Any ideas why rogers is unstealthing ports?

Re: Security Holes on the Hitron CGN2-ROG

Hmm , interesting.
Looked up the default uses on those ports, your looking at dcom and remote access ports.
Theses SHOULDN'T be open by default, I would think.

I just checked on mine, and it does show that they are closed here.

It could varry from modem to modem. I am currently using the smc n gateway. Which do you have?

If you are plugging straight into a modem, no router, it is up to your firewall, etc to block it.
By default any machine will be open to ports if they are open on the machine and no firewall.
With having a router inbetween, should by default then block all these ports, unless you allow them. Unless you have your machine in the dmz, have port forwarding on, etc.

Re: Security Holes on the Hitron CGN2-ROG

BladeRunR
I've Been Here Awhile

These ports on my machine's are closed as well. What I wanted to know is why for the last 4 years have they shown up as stealthed when scanned but all of a sudden in the last week they are visible but closed? Something must have changed on rogers end to cause this. Just trying to find out why as this now exposes my ip address as having a computer behind it making it a potential targets for hackers. I prefer to have all ports stealthed as then there is no evidence that a computer exists at my ip which was the case for the past 4 years until last week.

Re: Security Holes on the Hitron CGN2-ROG

skinorth
I'm an Advisor

@Snarkel:

 

you posted "...this modem/router. It responds to requests on ports 135 (RCP) and 445 (Microsoft Directory Services)...".  What do you mean by "It responds to requests"?

 

We are certainly interested in your experiences, but we would like to know more about what it is that you have experienced.

 

Please provide more details, so we can understand the extent and seriousness of the security issue.

 

Thanks.

 

skinorth

 

Re: Security Holes on the Hitron CGN2-ROG

gs123
I've Been Here Awhile

I'm not sure how Snarkel got this information, but I do know that Steve Gibson at grc.com has a test that we can run to see which of our ports are open, closed or stelth. There are also other tests there that check if upnp is enabled on our routers.

 

Steve does a pod cast on twit.tv/sn and knows alot about security.

If you want to test how your modem/router responds to requests go to grc.com then select shields up. There is an explanation there about the test and the results.

Hope this helps.

Re: Security Holes on the Hitron CGN2-ROG

Gdkitty
Resident Expert
Resident Expert

I have ran the tests from there. (with the SMC router).

The ONLY thing that shows OPEN on it, are 80 and 21 (as i specificaly have them forwarded and open)

Every other one shows at stealthed.
They can show up as STEALTHED, CLOSED or OPEN

 

Open, is obvious.. that its set as open can be an issue if you are not wanting it open.
most SHOULD be stealthed.
Being closed.. means its not stealthed.. means if someone is probing, it may ellicit a response.. BUT if you are firewalled yourself, between the router and whatever is on your PC, you should be fine.

 

IF you are in bridged mode.. the modem play NO part in any of this.. it would be your own router, or PC, that would be in charge of showing what is open or closed, etc.

Re: Security Holes on the Hitron CGN2-ROG

gisuck
I'm a Reliable Contributor
Gdkitty is right. If your modem is in bridge mode, the port open/closed response is from the immediate connected device to the Rogers modem. Typically your home router.

Re: Security Holes on the Hitron CGN2-ROG

Gdkitty
Resident Expert
Resident Expert
Now these can be stealthed in two ways.
Pre done by the ISP (which should be done in a perfect world, but by no means manditory ), or by your device (router, PC, etc)
I think the complaint is that its not pre done

Looking up the ports -

135 - dcom\rpc - can be dangerous, but even the grc site says any basic firewall can block this one.

445 deals a lot with file shares, and netbios - again, can be dangerous but a decent firewall will block fine.

Like he said, showing in stealthed, says somethings there. But if you are showing blocked, you should be safe. Someone might attempt something, but will hopefully be stopped if you have a decent Nat firewall and software firewall. Even with a stealthed port there is nothing stopping someone from direct targeting that port anyways. Just most of the time they won't make an attempt unless they get a response.

Interesting though, first scan came clean all stealthed (Full scan, all ports). Did specific port scans and now they come up, as if the specific probe triggered them. Still blocked though.
Tried a veriety of other ports, continual stealth.

Perhaps this is something that rogers SHOULD look into further.

But its not an OMG security breach type of thing, if you are showing blocked and have decent hardware/software firewalls in place.

Re: Security Holes on the Hitron CGN2-ROG

Snarkel
I've Been Here Awhile

@gs123

That is what I use, GRC (Shields Up)

 

@Gdkitty

I am not in Bridge Mode hence the statement that Bride Mode exposes even more ports such as 80 (and it shows closed when in Bridged Mode)

 

@skinorth

It’s a basic port scan (Security basics). When a request is made to a port it can respond as Open, Closed or it may not respond at all. If a port is Open you can access the services of that port (such as port 80 for HTTP services) as it is accepting connections. When Closed connections are actively rejected (ie. “Hey Router, do you have a service available on port XXX?” router responds “No I do not have a service available on port XXX”). When it does not respond at all it means the service is “not present” or is in “STEALTH mode”. Ports 135 and 445 on the WAN IP address of the port responds it is Closed. This means that the port is responding (this is not a good thing). The port should not be responding at all. Because the port is responding your presence is advertised to any requests on those ports.

 

@all

On my old setup using a cable modem connected to a Linksys/Cisco WRT310N with the dd wrt firmware no ports responded at all to any solicited requests on any ports.

Re: Security Holes on the Hitron CGN2-ROG

jakl7600
I've Been Here Awhile

I did a grc shields up scan yesterday and had a result of port 135 and 445 being closed where in the past they have always been stealthed, nothing has changed on my end. Another thread which another user posted in he is experiencing the same issue with these specific ports.

 

Rogers Modem: Cisco DPC3825

Router: D-Link DIR-655

OS: Xubuntu 12.04.2 LTS

Re: Security Holes on the Hitron CGN2-ROG

I am curious if there is a SERVICE that may need these non stealthed.. for the APP access for the PVRs, the home security system, etc, something like that...

@Snarkle
If you were in bridged mode, and 80 was showing open.. this is your ROUTER or PC firewall which is allowing this.  IF a port is OPEN, regardless if the ISP stealths it, would still show as OPEN.. since the GRC probes all ports anyways.

 

In the end.. Yes, having these ports un stealthed.. makes it, so if someone was IP probing and happened to be on those ports.. while they may not get THROUGH.. it would alert to your presence, that YES, there is potentialy SOMETHING at that IP address there.

Truthfully? That is the least of your worries, for someone knowing weither your IP has a machine there or not.
Just this morning, i have probably visted.. 15 websites?  As of right now, potentialy every single one of those sites that i have visted, has the ability via simple HTML and scripts (javascrips, aps, php, etc) to LOG the IP address that i visted the site from.
These can even be through ADDS on the sites.
Now, this list gets sold, stolen, or again from adds, just collected.
Now my IP address, is available out there, to the masses in essence.. for someone to go "hey, there is a PC browsing from that address"... and they could attempt to do an attack against that IP.

 

--------------------------------

Again, i am not saying that this is something that Rogers SHOULDNT look into... (or at least have an explanation as to WHY they are showing as unstealthed.. IE they need to be for product X)... they SHOULD.

I am just saying, its not a 'end of the world' security breach.  IF you maintain proper security procedures of a router based NAT firewall, as well as a software based on on the PC, you should have no worries of getting comprimised. (Bar a verry EXPERIENCED hacker, etc.. they could likely get around most anything.. but they are not going to waste their time on a small persons PC)

 

After doing more research, i do agree that they appear un stealthed (even though my first test came through as stealthed, all subsequent ones showing blocked).  Is this cause for potential concern? Yes.

I just dont want people to start freeking out that "OH NO I AM GOING TO GET HACKED NOW BECAUSE OF THIS".

Re: Security Holes on the Hitron CGN2-ROG

Snarkel
I've Been Here Awhile

@jakl7600

Seeing you are running Linux (I am running windows) and you are showing the same ports it is safe to say this is on the Rogers Side. Thank you for the verification

 

@all

I have also decided to try to subnet my router to a 30 bit subnet mask and DMZ my Linksys/Cisco router then connect my PC to the Linksys/Cisco router. No change.

 

@ Gdkitty

If I bridge then Port 80 shows as closed instead of stealth (not open but that’s admittedly semantics) and if I don’t bridge it does not respond (stealth).  When I was set up in Bridged mode I was using the Linksys/Cisco router to access the Hitron and connected my PC to the Linksys/Cisco. My Linksys/Cisco does not show up in a port scan (tested and confirmed) so it’s the Hitron (and taking a look at a couple of other posts the Cisco as well). Why would anyone need access to a closed service? Further checks show I am also responding to pings. Ever hear of a DOS attack (ICMP or SYN Flood)? This is very sloppy and not excusable. I have also tried the port fording route and it does not correct the situation. Reconfiguration of the Hitron does not correct the problem. Just FYI: I am CCNA trained and about to recertify. Can’t engage in Proper firewall/NAT when you have no control over it (it is simply off or on for these devices).

Re: Security Holes on the Hitron CGN2-ROG

BladeRunR
I've Been Here Awhile

I think it's time for rogers to actually do something to address this problem. Gdkitty you didn't seem to concerned with my original posting until more people started to complain.

This IS a serious issue that a company like rogers should be embarrassed by. For people that are not tech savvy & know nothing about security, this could be a very bad situation.

Maybe if enough people complain something might actually get done regarding this problem. I also verified in my original post that I ran a scan while bypassing my router with the same results. This issue is unacceptable by any means.

Re: Security Holes on the Hitron CGN2-ROG

Until more information.. when only ONE person complains, it could have been a one off event.. i wasnt trying to brush it off, etc.

My first two initial scans.. when both times came up as STEALTHED. So to me, it would show as not happening.

 

Subsecuently, they have shown up.

Now that there are more people reporting it.. it looks like it is a global issue.

 

Again, i have not said that rogers SHOULDNT fix it... they SHOULD.

A Synflood DOS attack, MIGHT be possible in this sort of case.. not 100% sure, if the port then has to be open to respond (if a closed will not repsond correctly).  A ICMP, not likely, as its a mass broadcast type one.. would more likely take down the whole network.

Is it possible then for a DOS attack or something in this way? Yes.. BUT.. they are less likely to try per chance on those ports, than ones that they KNOW are more directly open/being used currently.
There is stuff going through PC gaming right now.. where people are farming IP addresses from VENTRILLO servers, and targeting the ports that vent uses while the person is on.. and DOSing them.  No need to choose a random port.

 

Again, i agree 100% that this is something that should get looked at by rogers and fixed/changed.  I am not aguing that.

I just dont think its the end of the world security breach.  Someone is % wise MUCH more likely to get hacked, info stolen, etc.. by means of a VIRUS/MALWARE, going to a phishing site, etc, than a directed attack.

Re: Security Holes on the Hitron CGN2-ROG

Interestingly, i ran 4 more tests just now. Both from behind the SMC gatway. 2 attempts on 2 different PC's

FIRST attempt, still showed 135 as closed and not stealthed.
BUT.. it did show 445, as stealthed.

Subsequent tests, showed 445 as closed.

Its almost as this is a port which is 'asleep' so to speek.  That it initialy comes up as stealthed.. but after something trys to access.. it wakes up and shows as closed.   I have not run a test since yesterday afternoon.. so it may have 'fallen back asleep', so it showed up as stealthed again on the first scan just now.

 

-----------------------------

 

Ran it again.. 3ish hours later?
First scan... showing stealthed on BOTH.
Consecutive scans.. shows closed.

 

 

Re: Security Holes on the Hitron CGN2-ROG

Sweet995
I've Been Around

So no more responses on this since March 2013?

It obviously hasn't been fixed as I just did the same GRC test and 135 and 445 showed up as closed ON MY FIRST ATTEMPT no testing again a few minutes later.This is just stupid.

 

I have been hacked in the past WHILE I was sitting at the computer. The guy even had the nerve to try to have a messenger conversation with me while he was trying to FUBAR my computer. Prior to our getting the CGN2 from Rogers I have been religeously following Steve GIbson's recommendations and my home system has ALWAYS been stealthed. Never to be found by ANYONE.

 

I HAD to install this piece of CGN2 garbage because we upgraded to the higher speed Internet. I will now be looking at ways to get rid of it and provide my own solution. In the 30 years of being a Rogers customer it has ALWAYS been my experience that they are NOT concerned with your security UNLESS they can make a buck at it. You ALWAYS have to pay them MORE money to be safe from their incompetence.

 

I know I have been talking to a wall here but I leave this for anyone else later who finds this.

Rogers has no intention of ever fixing this.

Find your own solution!

Topic Stats
  • 16 replies
  • 8580 views
  • 0 Likes
  • 8 in conversation