#VU8053 Hardcoded backdoor in NVG599 and NVG589
Published: August 31, 2017 / Updated: August 31, 2017
Vulnerability identifier: #VU8053
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NVG599
NVG589
NVG599
NVG589
Software vendor:
Arris
Arris
Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.
Successful exploitation of the vulnerability results in information disclosure.
The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.
Successful exploitation of the vulnerability results in information disclosure.
Remediation
For those suffering from the CASERVER vulnerability (port 49955) but not the SSH backdoor, submit the following command before disabling caserver.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /www/sbdc/cgi-bin/sbdc.ha;fixit
Those with access to the SSH backdoor may submit the following command from cshell.
NOS/123456789>> ping -c 1 192.168.1.254;chmod 000 /www/sbdc/cgi-bin/sbdc.ha