Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

ARRIS SURFboard Modems Plagued by CSRF Flaw

Several ARRIS SURFboard broadband cable modem models suffer from cross-site request forgery (CSRF) vulnerability that allows an attacker to reboot them without authentication.

Several ARRIS SURFboard broadband cable modem models suffer from cross-site request forgery (CSRF) vulnerability that allows an attacker to reboot them without authentication.

The issue was discovered in ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems running under firmware released by Time Warner Cable. The modem’s LAN-side web interface, which can be accessed by typing a fixed IP address, does not require authentication and is susceptible to the CSRF flaw through which the modem can be rebooted with a single click.

SURFboard 6141 is one of the most popular ARRIS modems to date, but the exact number of sold devices isn’t know at the moment. While the modem’s product page said last week that the company distributed 135 million units, the mention has since been removed.

However, with other models affected as well, including SURFboard 5100 and 6121, millions of units could indeed be affected. The SURFboard 5100 model was discovered to include the same vulnerability eight years ago, when they were sold under Motorola’s brand, while the issue with SURFboard 6121 devices was reported last year.

The main issue with the newer model is the fact that diagnostic data is accessible by simply browsing to 192.168.100.1 from the local network, with no login required. The UI includes other functions as well, including one to reset the modem to factory settings, and another to reboot it, an operation that takes around 3 minutes to complete, David Longenecker, the researcher who discovered the bugs, says.

Basically, anyone that can connect to the local network can access the UI and reboot the modem. The big issue is that the modem can also be reset to factory settings from the same interface, a process that could take more than 30 minutes to complete, and which might even require the user to call the ISP to initiate reactivation.

In addition to these issues, these modems are plagued by said CSRF flaw, which can be exploited to reboot them when the user clicks a link. The problem is that the application does not verify whether the reboot command was issued from the administration UI, a flaw that goes hand in hand with the lack of authentication.

The researcher even came up with a proof of concept website, http://RebootMyModem.net, where users can “test” their modems. One thing they should keep in mind when accessing the site, however, is that it might reboot the device and deny them access to the Internet for around three minutes.

Advertisement. Scroll to continue reading.

What should also be noted is that all these issues affect the consumer-oriented, LAN-side administrative interface, and not the ISP-oriented, WAN-side one. The researcher managed to demonstrate all flaws on a SURFboard 6141 modem running firmware SB_KOMODO-1.0.6.14-SCM01-NOSH, deployed to Time Warner Cable customers, but other models and other ISPs may have the same design flaw.

The issue can be supposedly resolved via a firmware update that would add username and password requirement to the UI when performing reboot requests or other disruptive actions such as resetting the device. Furthermore, it would also need to validate that requests are originating from within the application and not from external sources.

 

While this seems simple enough in theory, there’s a catch, as cable modems are not always consumer-upgradable. What this means is that ARRIS needs to provide the ISP with the update, which in turn applies the firmware and configuration to these modems, even if they are consumer-owned devices.

The researcher says he contacted ARRIS to report the issue in January, but that the company only informed him that the email was forwarded to the security team, without offering any additional updates or details on their plans on the matter. However, after the public disclosure, ARRIS reportedly said that it was working with ISPs to push a firmware update to users.  

Related: Serious Flaws Patched in Cisco Modems, Gateways

Related: Popular Mobile Modems Plagued by Zero-Day Flaws

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.