Alert: AT&T customers with Arris modems at risk of remote hacking, claim infosec bods

Just the usual procession of firmware vulnerabilities

By Richard Chirgwin

Posted in Security, 1st September 2017 02:01 GMT

Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices.

The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem's cshell service and take a leisurely walk through most of the devices' controls and levers.

“The username for this access is remotessh and the password is 5SaP9I26”, Nomotion states.

The shell's capabilities include “viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet” – and there's also access to a kernel module “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”

That last isn't in use in the modem, Nomotion's Joseph Hutchins writes – but the code is present and vulnerable.

The modems in question are the Arris NVG589 and NVG599, which Nomotion notes are provided as standard customer premises equipment for AT&T U-verse customers.

The bugs could have been added by AT&T, the report says, since while “examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).”

The cshell runs as root, which means any other possible exploit is also trivial to exploit. For example, he provides a demonstration of a command injection using its ping functionality.

Other vulnerabilities Hutchins says he's found in the modems include:

  • Default https server credentials – Hutchins isn't sure why there's an https server running on port 49955, but it's there, and user “tech” with no password can access it;
  • Command injection – the same https server (named “caserver”) accepts commands to upload a firmware image; rifle through its internal databases; and send configuration commands with requests to a set_data command;
  • More information disclosure and hard-coded credentials – a service on port 61001 leaks device information under the right conditions, including another set of credentials, “bdctest/bdctest”; and
  • A firewall bypass on port 49152.

Arris told Kaspersky's ThreatPost it's now analysing the report and will act to protect users if necessary. ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

What a hang up: US big box biz Best Buy kicks Huawei to the curb

不好意思,我听不懂

ICO smites Bible Society, well fines it £100k...

Vengeance for poor security sins in face of cyber attack

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

156K spam text-sending firm to ICO: It wasn't us, Commissioner

Get fined £45,000 by Brit regulator anyway

UKIP appeals against ICO request for info on Brexit data dealings

Commish 'forced' to invoke statutory powers with 'difficult' organisations

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Stop calling, stop calling... ICO goes gaga after home improvement biz ignores warnings

Swansea firm carries on direct marketing, lands extra fine

ICO probes universities accused of using private data to target donation campaigns

Students allegedly screened for wealth, tendency to give money

Tories spared fine after being told off by ICO for election telemarketing

Party told to 'get it right next time' after calls crossed line into unlawful direct marketing

ICO seizes phones and computers in nuisance call scam raids

Probe into theft of personal info from car repair centres