Over the last four weeks, this blog has covered vulnerabilities ranging from instituting a permanent vulnerability in every Apple iOS device, Android patch management flaws, meatware (humans) as the weakest link in the information system security, and the latest malware crazy exploiting meatware. This week is a review of a firmware flaw in Arris SURFboard SB6141 cable modem (hardware) affecting over 135 million users deployed by Comcast, Time Warner Cable, and Charter which was discovered by David Longenecker.
Attackers can exploit the flaw through remote measures that cause a denial-of-service by rebooting the SURFboard modems without authentication due to the presence of cross-site request forgery. The modems have a static Internet Protocol address that is not consumer-changeable and the web user interface does not require authentication, no username or password, to access the administration web interface at 192[.]168[.]100[.]1 from a local attacker.
Restarting the cable modem will disable the victim's modem for 2 to 3 minutes and every device on that network will lose access to the Internet which is an annoyance. However, there is a much larger issue. An attacker can also reset the modem, as the application doesn't verify whether the reboot or reset the modem command comes from the user interface or an external source through the use of social engineering techniques to trick users into clicking on a specially crafted web page or email.
For example: A web page including <img src="http://malicious_url/"> tag could call any of the following URLs:
For example: A web page including <img src="http://malicious_url/"> tag could call any of the following URLs:
- http://192.168.100.1/reset.htm (for restart)
- http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults (for factory reset)
If an attacker chooses this option, the modem will go offline for 30 minutes as re-configuration process takes as long as an hour to complete.
The Arris modem vulnerability has existed since 2008, because it was present in Motorola which was bought out by Arris, VU#643049. There's no practical fix for the flaw, the simplest solution would be a firmware update requiring a username, password, and validate that a request originated from the application and not from an external source. However, there's no practical fix for the flaws. Since cable modems are not consumer-upgradable, the modems need to wait for Internet Service Providers to apply the fix and push the update.
References:
Paganini, P. (2016). More than 135 million ARRIS cable modems vulnerable to remote attacks. Retrieved April 10, 2016, from http://securityaffairs.co/wordpress/46117/hacking/arris-cable-modems-attack.html?utm_medium=email
Whittaker, Z. (2016, April 8). Over 135 million modems vulnerable to denial-of-service flaw | ZDNet. Retrieved April 10, 2016, from http://www.zdnet.com/article/millions-of-routers-vulnerable-to-unpatched-reboot-flaw/
Vulnerability Note VU#643049. (2008, April 29). Retrieved April 10, 2016, from http://www.kb.cert.org/vuls/id/643049
Khandelwal, S. (2016, April 9). No Password Required! 135 Million Modems Open to Remote Factory Reset. Retrieved April 10, 2016, from http://thehackernews.com/2016/04/hack-modem-internet.html
Longenecker, D. (2016, April 3). Full Disclosure: Unauthenticated CSRF reboot flaw in ARRIS (Motorola) SURFboard modems. Retrieved April 10, 2016, from http://seclists.org/fulldisclosure/2016/Apr/8
No comments:
Post a Comment