Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices.
The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem's
cshell service and take a leisurely walk through most of the devices' controls and levers.
“The username for this access is remotessh and the password is 5SaP9I26”, Nomotion states.
The shell's capabilities include “viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet” – and there's also access to a kernel module “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”
That last isn't in use in the modem, Nomotion's Joseph Hutchins writes – but the code is present and vulnerable.
The modems in question are the Arris NVG589 and NVG599, which Nomotion notes are provided as standard customer premises equipment for AT&T U-verse customers.
The bugs could have been added by AT&T, the report says, since while “examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).”
cshell runs as root, which means any other possible exploit is also trivial to exploit. For example, he provides a demonstration of a command injection using its
Other vulnerabilities Hutchins says he's found in the modems include:
- Default https server credentials – Hutchins isn't sure why there's an https server running on port 49955, but it's there, and user “tech” with no password can access it;
- Command injection – the same https server (named “caserver”) accepts commands to upload a firmware image; rifle through its internal databases; and send configuration commands with requests to a
- More information disclosure and hard-coded credentials – a service on port 61001 leaks device information under the right conditions, including another set of credentials, “bdctest/bdctest”; and
- A firewall bypass on port 49152.
Arris told Kaspersky's ThreatPost it's now analysing the report and will act to protect users if necessary. ®