What is a Chargen vulnerability alert?


You may have recently received a letter or an email from Virgin Media explaining that we have been notified that a device on your network has a Chargen vulnerability. If you have received such a communication from us, please follow the advice given on this page to resolve the issue.
 

Overview

Chargen (Character Generator Protocol) is intended for testing purposes. A system set up to act as a Chargen server responds to queries over port 19 by sending arbitrary characters to the connecting host and continues until the host closes the connection.

If the Chargen service is left enabled it can be abused to participate in online abuse.
 

What has happened?

We work with a number of not-for-profit organisations across the banking industry and security sectors that collate information on devices across the Internet that appear to be compromised or misconfigured. This means that your compromised or misconfigured device is publicly accessible on the Internet, and therefore the scanning that is performed by these organisations is not within your private network.

We suspect a device connected to your home network may have a Chargen vulnerability.

For more information on these reports please visit chargenscan.shadowserver.org*

This could be your Virgin Media Hub 3.0 or Super Hub, third party home router or any device connected to your home network which allows open communication on TCP/UDP port 19 (Chargen).

If the settings are left open they can be exploited to unwittingly participate in malicious activities, for example a Distributed Denial of Service (DDoS) attack.

It is therefore important that you follow the advice in this article.
 

What can I do about it?

We're here to help and if you have a basic knowledge of computers and connected devices there are a number of steps you can take to secure home network.

To resolve this issue, please follow the steps from one of the options below.**

If you are aware of what system in your home is acting as a Chargen server, we’d recommend following the steps in this section.

If you are unaware of what system in your home has this vulnerable service running on it, we’d recommend following the advice in the ‘Block Chargen traffic’ section of this article.

For a Linux/Unix server*:

Comment out the chargen line in the /etc/inetd.conf file

or changing "disable" to equal "yes" in the applicable file within /etc/xinetd.d/ and then restart the inetd or xinetd process.

Windows*:

Windows systems, set the following registry keys to 0 :

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen

HKLM\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

Then launch cmd.exe and type the following commands to restart the service:

net stop simptcp

net start simptcp

The easiest way to deal with a Chargen vulnerability is to configure your firewall to block port 19.

It is worth noting that blocking this port will only stop traffic over this port leaving or entering your home network. Services within your home that use this port should continue to work as normal.

Virgin Media Hub 3.0

To close the vulnerable port on the Virgin Media Hub 3.0:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Security on the left side of the page
  • Select the Port Forwarding option
  • Remove any rules that will keep port 19 open
  • Select the Port Triggering option
  • Remove any rules that will keep port 19 open

Virgin Media Super Hub:

To close the vulnerable port on the Super Hub 1 or 2’s firewall:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Advanced Settings and accept the prompt
  • Scroll down to the Security section
  • Select the Port Forwarding option
  • Tick the Delete box next to any rules that will keep port 19 open
  • Click the Apply option
  • Select the Port Triggering option
  • Tick the Delete box next to any rules that will keep port 19 open
  • Click the Apply option

If you are running any other devices such as a server or a NAS drive, please ensure that you check the settings and ensure TCP/UDP port 19 (Chargen) is disabled as above.

Third party routers

If you use a third party router in conjunction with the Virgin Media Super Hub or Hub 3.0, your router's firewall will need to be configured to ensure port 19 is not accessible outside of your local network - this can be performed by blocking the port or removing any Port Forwarding rules for that port. In order to identify how to do this with your particular router, refer to the documentation for your device or refer to the manufacturer's website.

It is important to check all your devices sit behind a firewall. In most cases your firewall is configured as a part of your router, this is the case with the Virgin Media Superhub and Hub 3.0. If you have specifically disabled the Firewall in your router, it is crucial that you configure your devices to sit behind a firewall that is blocking port 19. If this does not apply to you, please proceed to the next step.

Modem Mode - If you are using your Virgin Media Superhub or Hub 3.0 in Modem Only mode, it is essential that you are using a firewall on any device or router that is plugged directly into the Hub. When in Modem Only mode, your Hub does not operate with a firewall. If this does not apply to you, please proceed to the next step.

DMZ - Most firewalls, including the one provided with the Virgin Media Superhub and Hub 3.0 include a DMZ option. This feature allows for a device using a specific local IP address on your home network (e.g. 192.168.0.2) to bypass your Firewall settings. This is occasionally necessary if you are using a device that has its own firewall configured. If you have a device configured in your firewall's DMZ that does not use its own firewall, it is crucial that you disable this option immediately. Computers operating without a firewall are extremely vulnerable to attack as all ports are essentially exposed to the wider Internet.

To check if a device is configured in the DMZ on your Virgin Media Super Hub 1 or 2:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Advanced Settings
  • Select DMZ
  • To remove a device from the DMZ, uncheck the tick box at the top of the page

To check if a device is configured in the DMZ on your Virgin Media Hub 3.0:

  • Access your Hub's configuration page - default web address: 192.168.0.1
  • Login with your username and password, default will be shown on the Hub itself
  • Select Security on the left side of the page
  • Select the DMZ option

To remove a device from the DMZ, tick the Disable box

Where can I find further information and advice?

If you’d like further advice then our forum community will be happy to help. Just visit virginmedia.com/community and join the conversation on our Security Matters board.

You can find general security advice and articles on other vulnerabilities by checking Security Hub at virginmedia.com/securityhub

*These links to external sites are provided as a courtesy and we are not responsible for the content of these sites or any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.

** These fixes are provided as a courtesy and we are not responsible for any problems encountered whilst applying these steps and we are not able to provide any technical support for such problems.


Need more help


    Ask our community

  • Helpful, friendly forums
  • Packed with tips and advice
  • Staffed by Virgin Media

   


    Contact us

  • Get in touch with our friendly team
  • Waiting times may vary
  • Free from Virgin Media phones or mobile