Security researchers are warning of a new critical vulnerability affecting multiple cable modem manufacturers that use Broadcom chips — exposing hundreds of millions of users to remote attacks.
Discovered by three researchers from security consultancy Lyrebirds and an independent, the so-called “Cable Haunt” bug (CVE-2019-19494) is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser.”
Specifically, the flaw is found in Broadcom chip’s spectrum analyzer component, which is designed to identify problems with the modem cable connection. If attackers can first trick the user into opening a web page containing malicious JavaScript, possibly via a phishing email, then they can effect the buffer overflow, giving them access to the modem.
This opens up a range of potential options to the hackers, including: changing the default DNS server, disabling ISP firmware upgrades and covertly changing the code themselves, man-in-the-middle attacks and conscripting the device into a botnet.
Basically, it means being able to snoop on all traffic flowing into the modem, send users unwittingly to malicious domains and launch botnet attacks.
The scale of the problem is potentially immense — affecting many more devices than the 200 million estimated in Europe.
“The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.”
ISPs have been contacted by the team with a fix prior to disclosure, but the quartet claimed only to have had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are among the 10 identified as affected.
However, the vulnerable spectrum analyzer in question is not directly exposed to the internet, making this attack a relatively complex endeavor and therefore not likely to be used in mass campaigns given the numerous other flaws that can be more easily exploited in routers.