Vulnerability identifier: #VU8051

Vulnerability risk: High

CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]

CVE-ID: N/A

CWE-ID: CWE-798

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NVG599
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Arris

Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.

The weakness exist due to running of HTTPS server on port 49955 with default credentials. A remote attacker can authenticate on port 49955 with the username "tech" and an empty password and gain root access to the device.

Mitigation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.

POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77

appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit

Vulnerable software versions

NVG599: 9.2.2h0d83

---

External links
http://www.nomotion.net/blog/sharknatto/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.