Vulnerability identifier: #VU8053
Vulnerability risk: High
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:W/RC:C]
CVE-ID:
CWE-ID:
CWE-798
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
NVG599
Hardware solutions /
Routers & switches, VoIP, GSM, etc
NVG589
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: Arris
Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.
The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
For those suffering from the CASERVER vulnerability (port 49955) but not the SSH backdoor, submit the following command before disabling caserver.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /www/sbdc/cgi-bin/sbdc.ha;fixit
Those with access to the SSH backdoor may submit the following command from cshell.
NOS/123456789>> ping -c 1 192.168.1.254;chmod 000 /www/sbdc/cgi-bin/sbdc.ha
Vulnerable software versions
NVG599: 9.2.2h0d83
NVG589: 9.2.2h0d83
External links
http://www.nomotion.net/blog/sharknatto/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.