Thousands of cable modems manufactured by the Georgia-based telecom Arris suffer from a series of issues: XSS and CSRF vulnerabilities, hard-coded passwords, and what a researcher is calling a backdoor in a backdoor.
Brazilian researcher Bernardo Rodrigues stumbled upon the issues several months ago while researching cable modem security for a conference and disclosed them last week.
ARRIS Cable Modem has a Backdoor in the Backdoor https://t.co/1tygYzClFL #backdoor #cablemodem #arris pic.twitter.com/NtSI37YI3v
— Bernardo Rodrigues (@bernardomr) November 19, 2015
The modems reportedly contain an undocumented library that acts as a backdoor, in turn allowing privileged logins using a custom password.
Following a cursory Shodan search, Rodrigues estimates that more than 600,000 externally accessible hosts are vulnerable to the backdoor and that TG862A, TG860A, and DG860A modems are all affected.
[1/2] Some people asked me about the banners from externally accessible ARRIS devices. Here are they (as of November/2015): @darrenpauli
— Bernardo Rodrigues (@bernardomr) November 20, 2015
[2/2] Telnet: https://t.co/RSgbaBJ90L (363,298)
SSH: https://t.co/eg8gMq7llb (180,333)
HTTP(S): https://t.co/PW6QhzA7W4 (45,836)
— Bernardo Rodrigues (@bernardomr) November 20, 2015
One backdoor has been known for a while, at least since 2009, and relies on a publicly known algorithm. To exploit it an attacker would have to be familiar with the algorithm, the date, and the seed to gain access to the device. Rodrigues claims a “password of the day” generator uses a DES encoded seed to set a daily password, but relies on a default seed, MPSJKMDHAI.
Once in, an attacker could “enable Telnet and SSH remotely via the hidden HTTP Administrative interface,” or via custom SNMP MIBs.
“The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password,” Rodrigues wrote in his disclosure late last week.
The shell provided by the “password of the day” generator can be escaped and reached using a hard-coded password – the last five digits of the serial number of the device.
“Logging as technician using the ‘password of the day’ provides a restricted mini_cli shell. This shell can be can be escaped to a full BusyBox shell; logging in using the hard-coded password provides the BusyBox shell,” reads an advisory on the issue posted by CERT/CC, “It has been reported that these vulnerabilities, particularly the hard-coded passwords, are currently being exploited.”
On top of the backdoor and the hard-coded password, CERT/CC’s warning claims that certain parameters in the modems’ web management interface are also vulnerable to both cross-site scripting vulnerabilities and cross-site request forgery vulnerabilities.
Rodrigues claims Arris was less than receptive when he first reported the flaws, but that CERT/CC proved helpful and aided in bringing them to the company’s attention.
When reached Monday a spokesman for the company claimed Arris was “working around the clock on modem updates” to address the vulnerability, but insisted that any risk associated with the vulnerability in the meantime is low and that the company was unaware of any exploit related to it.
Comments are closed here.