Hackers may be able to remotely take complete control of cable modems from various manufacturers due to a critical vulnerability affecting a middleware component shipped with some Broadcom chips.
The vulnerability, dubbed Cable Haunt and tracked as CVE-2019-19494, was identified by researchers from Lyrebirds and an independent expert. They’ve reproduced the attack on ten cable modems from Sagemcom, Netgear, Technicolor and COMPAL, but other manufacturers also likely use the Broadcom chip containing the vulnerability.
The researchers estimate that 200 million modems were initially affected by this vulnerability in Europe alone. However, over the past year they have been notifying affected ISPs — cable modems are typically provided to internet users by ISPs — and four companies in Denmark and Norway have reported patching their devices after being notified.
The flaw is related to a tool called spectrum analyzer, which uses a websocket to communicate with the device’s graphical interface in the browser. The vulnerable tool is only exposed to the local network, but Cable Haunt attacks can also be launched from the internet by getting the targeted user to visit a malicious website or a site that serves malicious ads.
A hacker can set up a website that launches a DNS rebinding attack to gain access to the local network and execute the Cable Haunt exploit. DNS rebinding allows a remote hacker to abuse a targeted user’s web browser to directly communicate with devices on the local network — in this case with the cable modem.
The researchers who discovered Cable Haunt explained that cross-origin resource sharing (CORS) in the browser should prevent such attacks, but they discovered that all of the tested modems were vulnerable to DNS rebinding.
Once the attacker has gained remote access to a modem, they can exploit a buffer overflow vulnerability in the spectrum analyzer component to execute arbitrary code on the device. An attacker could change DNS and other settings, conduct man-in-the-middle (MitM) attacks, change the device’s firmware, obtain information about the device, and make the modem part of a botnet, the researchers said.
While in some cases the modems require authentication before accepting requests, the researchers found that all the tested devices have default credentials that can be used for this purpose. It’s worth noting that these are not the credentials for the device’s administration panel, but for the spectrum analyzer tool.
The researchers have made their findings public, including by setting up a dedicated website and publishing a detailed research paper, in an effort to raise awareness of the vulnerability and the risks. They have also released a proof-of-concept (PoC) exploit that can be used to determine if a device is vulnerable.
Related: Credential Leaking Vulnerabilities Impact Comba, D-Link Routers
