Last updated at Sat, 19 Aug 2017 03:18:07 GMT
Today, Rapid7 would like to disclose a pair of newly discovered vulnerabilities around consumer and SOHO-grade cable modems, the Arris DOCSIS 3.0 (aka, Touchstone cable modems) and Netmaster Wireless Cable Modems. Both exposures were discovered by Rapid7's Deral Percent_X Heiland and independent researcher Matthew Kienow. The duo plan to discuss these and other common vulnerabilities and configuration issues at DerbyCon near the end of September. In the meantime, let's explore each of these issues in turn.
R7-2014-13: Arris DOCSIS Exposure (CVE-2014-4863)
Affected Devices
ARRIS DOCSIS 3.0 / Touchstone Wideband Gateway. These devices can be fingerprinted as:
HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.131; MODEL: DG950A.
The devices are manufactured by ARRIS, Information about the company can be found on their website, and the technical specifications of the affected device can be found here (PDF).
Vulnerability Description
By default this device was found exposing critical information via SNMP public community string. According to Shodan over 50,000 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information:
---PASSWORD
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
---SSID
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12
---WPA PSK
1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12
---WEP
WEP 64-bit Network Keys
Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.1
Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.2
Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.3
Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.4
WEP 128-bit Network Keys
Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.1
Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.2
Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.3
Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.4
Disclosure Timeline
Date | Description |
---|---|
June 5, 2014 (Thu) | Issue discovered and advisory written |
June 20, 2014 (Fri) | Vendor contact details sought |
July 9, 2014 (Mon) | Issue disclosed to CERT/CC |
August 15, 2014 (Fri) | CVE assigned by CERT/CC |
August 21, 2014 (Thu) | Details published |
R7-2014-14: Netmaster Wireless Cable Modem Exposure (CVE-2014-4862)
Affected Devices
Netmaster Wireless Cable Modem. These devices can be fingerprinted as:
HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.3.1; SW_REV: 81.447.392110.729.024; MODEL: CBW700N
The devices are manufactured by Netmaster, Information about the company can be found on their website (Turkish), and these devices are primarily in use in Turkey.
Vulnerability Description
By default this device was found exposing critical information via SNMP public community string. According to Shodan 258,638 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information.
----Username
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
----Password
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
----SSID
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
---WPA PSK
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
---WEP
WEP 64-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4
WEP 128-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4
Disclosure Timeline
Date | Description |
---|---|
June 5, 2014 (Thu) | Issue discovered and advisory written |
June 20, 2014 (Fri) | Vendor contact details sought |
July 9, 2014 (Mon) | Issue disclosed to CERT/CC |
August 15, 2014 (Fri) | CVE assigned by CERT/CC |
August 21, 2014 (Thu) | Details published |
Deral and Matthew intend to make Metasploit modules available to exercise these vulnerabilities near or during Derbycon in late September. In the meantime, these issues can be trivially exercised with common SNMP query tools, such as snmpwalk and the like. If you'd like to race the original researchers in producing modules specific to these issues, you are welcome to open a Pull Request for the Metasploit Framework over on GitHub.