Home-pwners: Cisco's Prime Home lets hackers hijack people's routers, no questions asked
Remote unauthenticated control over a vulnerable ISP's gear
Cisco is advising ISPs and other service providers using its Prime Home system to install a security update immediately – to squash a serious remote execution bug.
Switchzilla says the flaw, which was given a 10.0 CVSS score, could allow an attacker to log into the software as an administrator and remotely take control of thousands upon thousands of customers' home routers, broadband gateways and similar boxes.
"An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication," Cisco said today. "An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges."
Note that "administrator" was italicized by the networking giant. Super serious.
Cisco pitches Prime Home as a "solution" for ISPs and connected device vendors, allowing companies to control devices such as ISP-issued cable modems, routers, and set top boxes in subscribers' homes from afar. It uses "Broadband Forum’s TR-069 suite of protocols to provision and manage in-home devices."
That means that a successful attack on an ISP's installation of Prime Home would allow a criminal to take administrator-level control of the Prime Home GUI and meddle with all the devices connected to that particular service. As there are no workarounds or mitigations for the bug, Cisco is recommending that administrators install the update as soon as possible.
"Administrators can verify whether they are running an affected version by opening the Prime Home URL in their browser and checking the 'Version:' line in the login window," Cisco says.
"If currently logged in, the version information can be viewed in the bottom left of the Prime Home GUI footer, next to the Cisco Prime Home text."
All versions of the software – from v220.127.116.11 to below – should be updated. The bug is designated CVE-2017-3791 and CWE-287.
The alert from Cisco comes as researchers and criminals alike are paying increased attention to network appliances and IOT devices. Earlier this week, researchers disclosed a pair of serious security flaws present in more than 30 models of Netgear home routers. ®