Trivially exploitable vulnerabilities have been discovered in several Arris home modems, routers and gateways distributed to consumers and small businesses through AT&T’s U-verse service.
It’s unknown yet whether the firmware vulnerabilities were introduced by the OEM or the ISP since AT&T seems to have access to Arris firmware and can customize code on the devices before they’re sent to customers, researchers at security consultancy Nomotion told Threatpost. The researchers uncovered support interfaces easily accessible over SSH, and hidden services exposing the devices to remote and local attacks.
Nomotion security analyst Joseph Hutchins said his firm elected to publicly disclose the vulnerabilities because of their severity and because of Arris’ history with security issues of this sort. A request for comment from Arris was not returned in time for publication.
“Even as early as February, there was another incident where they had similar security issues and their blatant carelessness has gotten out of hand,” said Nomotion CEO Orlando Padilla. “I think with a little bit of pressure, hopefully they’ll fix things up.”
Nomotion also said in a report published today that ISPs are responsible for ensuring the security of their network and equipment leased or sold to consumers.
The most serious of the five flaws affects the NVG589 and NVG599 modems, firmware update 9.2.2h0d83, which enabled SSH by default and also contains hardcoded credentials that afford anyone access to the cshell service on the modem.
Hutchins said cshell is capable of viewing or changing the Wi-Fi SSID or password, modifying network configurations, reflashing firmware from a file served from the internet, or controlling a kernel module that injects ads into unencrypted traffic.
The cshell binary runs as root, meaning that any exploitable command injection or buffer overflow vulnerability will give an attacker root on the device. Nomotion estimates, however, that only 15,000 hosts are vulnerable after a Censys search, a much lower number than the impact posed by some of the other vulnerabilities.
Victimized gateways, meanwhile, can be corralled into a botnet, similar to that used by the Mirai malware to DDoS Dyn and other web-based services last fall. An attacker can also use these bugs to run code on the device to inject ads into traffic, or exploit other vulnerabilities on client devices running on the local network. Hutchins also said that since there’s no certificate pinning, an attacker could force the victim’s browser to accept a certificate from the gateway.
“You have full control of the traffic at that point,” he said.
Nomotion also found default credentials on the NVG599’s caserver HTTPS server running on port 49955, as well as a command injection vulnerability in the same webserver. Hutchins said the server accepts commands that would allow an attacker to upload their own firmware image, and either access or change an internal SDB database configuration. Nomotion estimates from Shodan and Censys searches that around 220,000 devices are vulnerable to this bug alone.
A separate information disclosure vulnerability in a service running on port 61001 would be useful to attackers, but would require them knowing the device serial number in advance in order to make a request.
The final bug affects possibly every AT&T device, all of which have port 49152 open, likely for remote access and support. Nomotion calls it a firewall bypass, and said a predictable three-byte value followed by the MAC address affords an attacker remote access.
“It is believed that the original purpose of this service was to allow AT&T to connect to the AT&T issued DVR devices which reside on the internal LAN. However, it should be painfully obvious by now that there is something terribly wrong with this implementation,” Nomotion wrote in its report. “Added to the severity is the fact that every single AT&T device observed has had this port (49152) open and has responded to probes in the same way.”
Hutchins said the most of the bugs are trivial to exploit.
“There’s no way people are not exploiting this in the wild,” Hutchins said. “It’s so trivial, we just didn’t see any point in going through the process of disclosure to the vendor and the waiting period because we just can’t see anyone not using this in the wild.”