Multiple vulnerabilities in Arris modems
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 5 |
| CVE-ID | N/A |
| CWE-ID | CWE-798 CWE-78 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
NVG599 Hardware solutions / Routers & switches, VoIP, GSM, etc NVG589 Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Arris |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) SSH backdoor
EUVDB-ID: #VU8050
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to use of hardcoded credentials. A remote attacker can use the default "remotessh/5SaP9I26" username and password combo to authenticate on any modem, gain access to the modem’s “cshell” client over SSH and obtain root privileges.
To disable the SSH backdoor, preform the following commands. Substitute “ipaddress” with your gateway’s IP address (internal or external).
ssh remotessh@ipaddress
(Enter password 5SaP9I26)
NOS/255291283229493> configure
Config Mode v1.3
NOS/255291283229493 (top)>> set management remote-access ssh-permanent-enable off
NOS/255291283229493 (top)>> save
NOS/255291283229493 (top)>> exit
NOS/255291283229493> restart
Vulnerable software versionsNVG599: 9.2.2h0d83
NVG589: 9.2.2h0d83
External linkshttp://www.nomotion.net/blog/sharknatto/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Hardcoded backdoor
EUVDB-ID: #VU8051
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit
Vulnerable software versionsNVG599: 9.2.2h0d83
External linkshttp://www.nomotion.net/blog/sharknatto/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) OS command injection
EUVDB-ID: #VU8052
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The weakness exist due to a command injection flaw in “caserver” https server. A remote attacker can send a specially crafted network request to the modem's 49955 port, download busybox with netcat (mips-BE) from an http server (no SSL support) via wget and execute arbitrary commands or launch a reverse shell.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit
Vulnerable software versionsNVG599: 9.2.2h0d83
External linkshttp://www.nomotion.net/blog/sharknatto/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Hardcoded backdoor
EUVDB-ID: #VU8053
Risk: High
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:W/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.
Successful exploitation of the vulnerability results in information disclosure.
For those suffering from the CASERVER vulnerability (port 49955) but not the SSH backdoor, submit the following command before disabling caserver.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /www/sbdc/cgi-bin/sbdc.ha;fixit
Those with access to the SSH backdoor may submit the following command from cshell.
NOS/123456789>> ping -c 1 192.168.1.254;chmod 000 /www/sbdc/cgi-bin/sbdc.ha
Vulnerable software versionsNVG599: 9.2.2h0d83
NVG589: 9.2.2h0d83
External linkshttp://www.nomotion.net/blog/sharknatto/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Firewall bypass
EUVDB-ID: #VU8054
Risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass firewall on the target device.
The weakness exist due to a flaw in service on port 49152. A remote attacker with knowledge of a modem's public IP address can send a specially crafted HTTP request, bypass the modem's internal firewall and open a TCP proxy connection to the device and perform brute-force attack that may allow to exploit other 4 vulnerabilities.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit
Vulnerable software versionsNVG599: 9.2.2h0d83
NVG589: 9.2.2h0d83
External linkshttp://www.nomotion.net/blog/sharknatto/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
