Vulnerability identifier: #VU8051
Vulnerability risk: High
CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]
CVE-ID:
CWE-ID:
CWE-798
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
NVG599
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: Arris
Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.
Mitigation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit
Vulnerable software versions
NVG599: 9.2.2h0d83
External links
http://www.nomotion.net/blog/sharknatto/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.