SB2017083104 - Multiple vulnerabilities in Arris modems 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017083104

SB2017083104 - Multiple vulnerabilities in Arris modems

Published: August 31, 2017

Security Bulletin ID SB2017083104
Severity
High
Patch available
NO
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) SSH backdoor (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain elevated privileges on the target device.

The weakness exist due to use of hardcoded credentials. A remote attacker can use the default "remotessh/5SaP9I26" username and password combo to authenticate on any modem, gain access to the modem’s “cshell” client over SSH and obtain root privileges.


2) Hardcoded backdoor (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain elevated privileges on the target device.

The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.

3) OS command injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The weakness exist due to a command injection flaw in “caserver” https server. A remote attacker can send a specially crafted network request to the modem's 49955 port, download busybox with netcat (mips-BE) from an http server (no SSL support) via wget and execute arbitrary commands or launch a reverse shell.

Successful exploitation of the vulnerability may result in system compromise.


4) Hardcoded backdoor (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain elevated privileges on the target device.

The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.

Successful exploitation of the vulnerability results in information disclosure.

5) Firewall bypass (CVE-ID: N/A)

The vulnerability allows a remote attacker to bypass firewall on the target device.

The weakness exist due to a flaw in service on port 49152. A remote attacker with knowledge of a modem's public IP address can send a specially crafted HTTP request, bypass the modem's internal firewall and open a TCP proxy connection to the device and perform brute-force attack that may allow to exploit other 4 vulnerabilities.

Successful exploitation of the vulnerability may result in system compromise.


Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References