Vulnerability identifier: #VU8053

Vulnerability risk: High

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:W/RC:C]

CVE-ID: N/A

CWE-ID: CWE-798

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NVG599
Hardware solutions / Routers & switches, VoIP, GSM, etc
NVG589
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Arris

Description
The vulnerability allows a remote attacker to gain elevated privileges on the target device.

The weakness exist due to existence of the hardcoded backdoor. A remote attacker with knowledge of device's serial number can use the "bdctest/bdctest" username and password to authenticate on the device via port 61001 and reveal information about logs, modem's WiFi credentials, and the MAC addresses of internal hosts.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation

For those suffering from the CASERVER vulnerability (port 49955) but not the SSH backdoor, submit the following command before disabling caserver.

POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77

appid=001&set_data=fixit;chmod 000 /www/sbdc/cgi-bin/sbdc.ha;fixit

Those with access to the SSH backdoor may submit the following command from cshell.

NOS/123456789>> ping -c 1 192.168.1.254;chmod 000 /www/sbdc/cgi-bin/sbdc.ha

Vulnerable software versions

NVG599: 9.2.2h0d83

NVG589: 9.2.2h0d83

---

External links
http://www.nomotion.net/blog/sharknatto/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.