Vulnerability identifier: #VU8054

Vulnerability risk: High

CVSSv3.1: 8.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:C]

CVE-ID: N/A

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NVG599
Hardware solutions / Routers & switches, VoIP, GSM, etc
NVG589
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: Arris

Description
The vulnerability allows a remote attacker to bypass firewall on the target device.

The weakness exist due to a flaw in service on port 49152. A remote attacker with knowledge of a modem's public IP address can send a specially crafted HTTP request, bypass the modem's internal firewall and open a TCP proxy connection to the device and perform brute-force attack that may allow to exploit other 4 vulnerabilities.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.

POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77

appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit

Vulnerable software versions

NVG599: 9.2.2h0d83

NVG589: 9.2.2h0d83

---

External links
http://www.nomotion.net/blog/sharknatto/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.