Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title ARRIS cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities
Informations
Name VU#419568 First vendor Publication 2015-11-20
Vendor VU-CERT Last vendor Modification 2015-11-23
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#419568

ARRIS cable modems generate passwords deterministically and contain XSS and CSRF vulnerabilities

Original Release date: 20 Nov 2015 | Last revised: 23 Nov 2015

Overview

Multiple models of ARRIS cable modems contain multiple, deterministically generated backdoor passwords, as well as multiple cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities.

Description

CWE-255: Credentials Management- CVE-2009-5149

The 'password of the day' for multiple models of ARRIS cable modems is generated using a publicly known algorithm. A remote attacker with knowledge of the algorithm, the date, and the seed can gain technician access to the device.

CWE-259: Use of Hard-coded Password - CVE-2015-7289

A separate account with a hard-coded password based on the modem's serial number also exists. A remote attacker with knowledge of the password may be able to gain administrator access to the device.

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-7290

In the web management interface, the pwd parameter adv_pwd_cgi is vulnerable to reflected cross-site scripting.

CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-7291

In the web management interface, adv_pwd_cgi vulnerable to cross-site request forgery attacks. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

The following models have been reported as being vulnerable to all three vulnerabilities:

  • TG862A
  • TG862G
  • DG860A

The following firmware versions were reported as being vulnerable:
  • TS0705125D_031115_NA.MODEL_862.GW.MONO
  • TS0705125_062314_NA.MODEL_862.GW.MONO
  • TS070593C_073013_NA.MODEL_862.GW.MONO
  • TS0703128_100611_NA.MODEL_862.GW.MONO
  • TS0703135_112211_NA.MODEL_862.GW.MONO

Additional models and firmware versions may also be affected.

Shodan search results show that many devices are accessible on the public Internet through telnet, SSH, or web management. An attacker with access to the web management interface and the technician password or SNMP can enable telnet and SSH.

Logging as technician using the 'password of the day' provides a restricted mini_cli shell. This shell can be can be escaped to a full BusyBox shell; logging in using the hard-coded password provides the BusyBox shell.

It has been reported that these vulnerabilities, particularly the hard-coded passwords, are currently being exploited. For additional details, refer to the researcher's disclosure.

Impact

An attacker with access to the web management interface and knowledge of the password-generation algorithm and seed may be able to gain technician or administrative access to devices. A remote attacker may also perform actions with the same permissions of a victim user, or execute arbitrary scripts in the context of the user's browser.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Change 'password of the day' seed

The 'password of the day' feature seems to use the date and a seed as input to an algorithm that generates the password. The algorithm is publicly known and the date is of course also known. It may be possible to change the seed. An attacker without knowledge of the seed would not be able to generate the password. It is not clear if users or service providers can change the seed. It may be possible for an attacker with access to the web management interface to obtain the router's configuration, including the seed and other passwords. The seed can be set and possibly read via SNMP.

Disable insecure remote administration

Service providers should disable insecure remote administration features such as telnet, or at a minimum, limit access to more trusted management host and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
ARRISAffected17 Sep 201509 Nov 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.8E:POC/RL:U/RC:C
Environmental6.7CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html
  • https://github.com/borfast/arrispwgen
  • https://www.shodan.io/search?query=arris+port%3A%2223%22
  • https://www.shodan.io/search?query=SSH-2.0-ARRIS_0.50
  • https://www.shodan.io/search?query=net-dk
  • http://www.theregister.co.uk/2015/11/20/arris_modem_backdoor/
  • http://www.cert.br/docs/palestras/certbr-tcfirst2015.pdf
  • https://www.exploit-db.com/exploits/29131/
  • http://docsis.org/node/1575
  • http://cwe.mitre.org/data/definitions/255.html
  • http://cwe.mitre.org/data/definitions/259.html
  • http://cwe.mitre.org/data/definitions/80.html
  • http://cwe.mitre.org/data/definitions/352.html

Credit

Thanks to Bernardo Rodrigues for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2009-5149CVE-2015-7289CVE-2015-7290CVE-2015-7291
  • Date Public:20 Nov 2015
  • Date First Published:20 Nov 2015
  • Date Last Updated:23 Nov 2015
  • Document Revision:66

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/419568

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-255 Credentials Management
25 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
25 % CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 5

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-11-23 21:32:25
  • Multiple Updates
2015-11-23 21:22:17
  • Multiple Updates
2015-11-21 17:27:47
  • Multiple Updates
2015-11-21 05:23:56
  • Multiple Updates
2015-11-20 21:23:32
  • First insertion