Security experts have uncovered several vulnerabilities in a Motorola cable modem device which combined could allow remote attackers to take full control of the router and modify the victim’s network for further exploitation.
Rapid7 engineering manager, Todd Beardsley, claimed in a blog post that the flaws can be found in the ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem.
“The attacker must successfully know, or guess, the victim’s internal gateway IP address. This is usually a default value of 192.168.0.1,” he wrote.
“It’s important to stress that, taken separately, these vulnerabilities are not all that unusual for embedded devices with web management interfaces. Taken together, though, an attacker can perform malicious network reconfigurations.”
The vulnerabilities in question are: a cross site request forgery (CVE-2015-0965) which lets an arbitrary website log-in without the user knowing; a backdoor (CVE-2015-0966) which allows a ‘technician’ to log in using the password ‘yZgO8Bvj’; and a cross site scripting bug (CVE-2015-0964).
The latter allows attackers, once logged in, to inject JavaScript capable of performing any action into the router interface.
“The Metasploit module, published in conjunction with this advisory, takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct internet access,” wrote Beardsley.
“In addition, the Metasploit module automatically downloads a copy of all registered DHCP clients, complete with their MAC addresses, IP addresses, and hostnames.”
He recommended several steps Motorola could take to mitigate the security issues found in the modem.
These include “better sanitization of the EmailAddress input to /goform/RgFirewallEL” and to stop issuing reusable backdoor credentials.
Beardsley also recommended the vendor add an X-Frame-Options header to restrict JavaScript injection, and to include “normal CSRF token or HTTP Referer validation on all forms.”
For users, the best option to mitigate the risk of attack would be to configure a custom local firewall or additional hardware firewall/gateway to ensure that internal hosts wouldn’t be able to communicate with the vulnerable device.
Independent security researcher Joe Vennix was credited with finding the vulnerabilities.