Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.
On one of the vulnerabilities, Joseph Hutchins of Nomotion Software reported yesterday, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.”
Arris has said that it is investigating the claims and cannot yet comment; but that it will take any necessary action to protect users of its devices. SecurityWeek has reached out to AT&T, and will update this article with any response.
It is worth noting that Arris is not a stranger to vulnerabilities — a talk “CableTap: Wireless Tapping Your Home Network” was recently delivered at Def Con. It is also worth noting that Nomotion is not certain whether the vulnerabilities it discusses come from Arris or AT&T; but makes the point that AT&T is responsible to its users.
Right now, U-verse users should be aware that these are serious vulnerabilities. Tod Beardsley, Research Director at Rapid7, told SecurityWeek by email, they “include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.”
In the first vulnerability described by Nomotion, the latest firmware update for the NVG589 and NVG599 modems enable SSH and contain hardcoded credentials. It seems to be connected to a module whose sole purpose appears to be to inject advertisements into the user’s unencrypted web traffic. Although there is no evidence that the module is being used, “it is present, and vulnerable,” says Hutchins.
He goes on to describe one potential exploit, but adds that “one can guess that hundreds of additional vulnerabilities exist.” The Censys search engine reports that there is likely at least 14,894 vulnerable hosts.
The second vulnerability involves default credentials on https server NVG599. “The username tech with an empty password field conveyed access to this highly vulnerable web server,” writes Hutchins.
The third vulnerability involves the same device, which is susceptible to a command injection attack. “There are countless ways to exploit this,” writes Hutchins, “but a few quick and dirty stacked commands using wget to download busybox with netcat (mips-BE) from an http server (no SSL support) and then spawn a reverse shell works well.” He estimates that there may be around 200,000 vulnerable hosts.
The fourth vulnerability involves a service on port 61001. This is considered the most prevalent but not the biggest threat. It requires knowledge of the device’s serial number. However, if this can be obtained, a “plethora” of information can be obtained.
“The server will hang for several seconds before returning a response,” says Hutchins. “Afterwards, several pieces of invaluable information are returned about the modem’s configuration, as well as its logs. The most sensitive pieces of information are probably the WiFi credentials and the MAC addresses of the internal hosts, as they can be used for the next vulnerability.”
That fifth vulnerability is the most prevalent: a firewall bypass with no authentication. It simply requires the device’s Mac address. If not obtainable through the previous vulnerability, this can be brute-forced or wifi-sniffed. “Basically,” says Hutchins, “if your neighbor knows your public IP address, you are in immediate danger of intrusion.”
Although Nomotion’s disclosure has not waited for remedial action from either AT&T or Arris, Hutchins does offer workarounds for each of the vulnerabilities. The difficulty here is that they tend to be technical solutions on home devices.
“The firewall bypass issue is resolved by a fairly straight-forward configuration change on the modem’s normal configuration interface,” said Beardsley; “but it’s unlikely that most of AT&T customers will be comfortable with making these changes on their own.” The remaining workarounds are even more difficult, and require, said Beardsley, “some fairly advanced ‘self-hacking’ to implement… and that comes with its own risks of accidentally (and permanently) disabling the affected hardware through a misplaced typo. So, while customers who have the technical chops to implement these fixes have some hope of side-stepping disaster, the vast majority of U-Verse customers are strongly urged to make a service call to AT&T’s technical support for assistance and updates.”
In short, warns Beardsley, “These vulnerabilities present a golden opportunity for widespread, automated damage at the hands of malicious hackers, up to and including another Mirai-like mass-hijack of affected modems. AT&T U-Verse customers are urged to take this disclosure seriously, and keep a close watch on AT&T’s plans for pushing out updated firmware to resolve these issues.”