Customers using the Verizon FiOS Quantum Gateway for their home routers are advised to update to the latest firmware – version 02.02.00.13 – which addresses fixes for multiple vulnerabilities discovered by Chris Lyne, researcher at Tenable Research.
According to an advisory published today, a new vulnerability (CVE-2019-3914) was found in the administrator password, not the password users enter to login. Lyne discovered that the vulnerability would allow an attacker to authenticate remote command injection. His tinkering led him to discover additional vulnerabilities, which include login replay (CVE-2019-3915) and password salt disclosure (CVE-2019-3916).
Lyne proposed several different scenarios in which a malicious actor could tamper with the security settings of the device, but in CVE-2019-3914, the attacker “must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.”
While the first vulnerability requires that an attacker be authenticated, in the login replay flaw, the web administration interface does not enforce HTTPS. As a result, “an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.”
In his blog post, Lyne noted that Verizon has released a patch.
“Routers are the central hub of every smart home today. They keep us connected to the corners of the internet, secure our homes, and even remotely unlock doors,” said Renaud Deraison, co-founder and chief technology officer, Tenable, in a press release. “However, they also act as a virtual entry point into the very heart of the modern home, controlling not just what goes out but also who comes in.”