Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Serious Vulnerabilities Disclosed in Modems Used by AT&T’s U-verse Service

Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.

Five vulnerabilities have been found in Arris-manufactured home networking equipment supplied in AT&T’s U-verse service. The vulnerabilities are considered so trivial to exploit that they have been disclosed to the public without waiting for remedial work from either Arris or AT&T.

On one of the vulnerabilities, Joseph Hutchins of Nomotion Software reported yesterday, “It is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents. Which is why this report is not passing Go, not collecting $200, and is going straight to the public domain.”

Arris has said that it is investigating the claims and cannot yet comment; but that it will take any necessary action to protect users of its devices. SecurityWeek has reached out to AT&T, and will update this article with any response. 

It is worth noting that Arris is not a stranger to vulnerabilities — a talk “CableTap: Wireless Tapping Your Home Network” was recently delivered at Def Con. It is also worth noting that Nomotion is not certain whether the vulnerabilities it discusses come from Arris or AT&T; but makes the point that AT&T is responsible to its users.

Right now, U-verse users should be aware that these are serious vulnerabilities. Tod Beardsley, Research Director at Rapid7, told SecurityWeek by email, they “include three separate maintenance interfaces over SSH and two hidden HTTP-based services, all of which are reachable from the internet with hard-coded credentials and susceptible to command injection attacks. In addition, Nomotion discovered an unauthenticated firewall bypass vulnerability, which appears to be a rudimentary reverse TCP proxy, allowing unfettered access from the internet to computers on the LAN side. Any one of these vulnerabilities is disastrous for AT&T U-Verse customers, since they ultimately bypass any security controls offered by these modems.”

In the first vulnerability described by Nomotion, the latest firmware update for the NVG589 and NVG599 modems enable SSH and contain hardcoded credentials. It seems to be connected to a module whose sole purpose appears to be to inject advertisements into the user’s unencrypted web traffic. Although there is no evidence that the module is being used, “it is present, and vulnerable,” says Hutchins.

He goes on to describe one potential exploit, but adds that “one can guess that hundreds of additional vulnerabilities exist.” The Censys search engine reports that there is likely at least 14,894 vulnerable hosts.

The second vulnerability involves default credentials on https server NVG599. “The username tech with an empty password field conveyed access to this highly vulnerable web server,” writes Hutchins.

Advertisement. Scroll to continue reading.

The third vulnerability involves the same device, which is susceptible to a command injection attack. “There are countless ways to exploit this,” writes Hutchins, “but a few quick and dirty stacked commands using wget to download busybox with netcat (mips-BE) from an http server (no SSL support) and then spawn a reverse shell works well.” He estimates that there may be around 200,000 vulnerable hosts.

The fourth vulnerability involves a service on port 61001. This is considered the most prevalent but not the biggest threat. It requires knowledge of the device’s serial number. However, if this can be obtained, a “plethora” of information can be obtained. 

“The server will hang for several seconds before returning a response,” says Hutchins. “Afterwards, several pieces of invaluable information are returned about the modem’s configuration, as well as its logs. The most sensitive pieces of information are probably the WiFi credentials and the MAC addresses of the internal hosts, as they can be used for the next vulnerability.”

That fifth vulnerability is the most prevalent: a firewall bypass with no authentication. It simply requires the device’s Mac address. If not obtainable through the previous vulnerability, this can be brute-forced or wifi-sniffed. “Basically,” says Hutchins, “if your neighbor knows your public IP address, you are in immediate danger of intrusion.”

Although Nomotion’s disclosure has not waited for remedial action from either AT&T or Arris, Hutchins does offer workarounds for each of the vulnerabilities. The difficulty here is that they tend to be technical solutions on home devices. 

“The firewall bypass issue is resolved by a fairly straight-forward configuration change on the modem’s normal configuration interface,” said Beardsley; “but it’s unlikely that most of AT&T customers will be comfortable with making these changes on their own.” The remaining workarounds are even more difficult, and require, said Beardsley, “some fairly advanced ‘self-hacking’ to implement… and that comes with its own risks of accidentally (and permanently) disabling the affected hardware through a misplaced typo. So, while customers who have the technical chops to implement these fixes have some hope of side-stepping disaster, the vast majority of U-Verse customers are strongly urged to make a service call to AT&T’s technical support for assistance and updates.”

In short, warns Beardsley, “These vulnerabilities present a golden opportunity for widespread, automated damage at the hands of malicious hackers, up to and including another Mirai-like mass-hijack of affected modems. AT&T U-Verse customers are urged to take this disclosure seriously, and keep a close watch on AT&T’s plans for pushing out updated firmware to resolve these issues.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.