UPDATED
Multiple cable modems used by ISPs to provide broadband into homes have a critical vulnerability in their underlying reference architecture that would allow an attacker full remote control of the device. The footprint for the affected devices numbers in the hundreds of millions worldwide.
Dubbed “Cable Haunt” by researchers at Lyrebirds, the bug (CVE-2019-19494) is found in cable modems across multiple vendors, including Arris, COMPAL, Netgear, Sagemcom, Technicolor and others. It originated in reference software written by Broadcom, researchers said, which has been copied by different cable-modem manufacturers and used in the devices’ firmware. The bug essentially allows a buffer overflow, which could enable a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim’s browser, according to the CVE writeup.
More specifically, “the cable modems are vulnerable to a DNS rebind attack followed by overflowing the registers and executing malicious functionality,” explained the researchers, in a technical paper on the attack. “The exploit is possible due to lack of protection against DNS rebind attacks, default credentials and a programming error in the spectrum analyzer.”
Lyrebirds researchers said that 200 million modems are potentially affected in Europe alone; they focused their research on European ISPs, many of which are already rolling out updates to fix the flaw. However, many of the same modems are used in North America, so Cable Haunt isn’t restricted by geography. Users can check to see if they’re affected using a test script that the researchers released in tandem with the bug details.
As far as U.S. ISPs, “we are rapidly testing all our in-home broadband equipment, determining any vulnerability and the best steps to mitigate, as needed,” a Cox spokesperson told Threatpost.
A Charter spokesperson meanwhile told us that Charter is “currently working with each of our vendors to determine if their equipment is vulnerable and when we could expect to see a firmware upgrade.”
Comcast, for its part, did not return a request for comment.
The Attack
In a proof-of-concept (PoC) exploit, researchers were able to demonstrate a two-step attack: First, they compromised the spectrum analyzer component on board a modem, which resulted in local access. The spectrum analyzer uses a websocket for communication with the graphical frontend displayed in a browser, and a server must verify the relevant request parameters added by the browser. However, “because these parameters are never inspected by the cable modem, the websocket will accept requests made by JavaScript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint,” researchers explained.
In the second step, they show that a DNS rebind attack can be used to gain remote access to the compromised spectrum analyzer. DNS rebinding is a technique that turns a victim’s browser into a proxy for attacking private networks.
“Without this DNS rebind attack, the spectrum analyzer would only be exploitable on the local network,” they wrote.
Through malicious communication with the endpoint, a buffer overflow can be exploited to gain control of the modem.
“The websocket requests are given as JSON,” the paper explained. “The parser which interprets this JSON request will copy the input parameters to a buffer, regardless of length, allowing values on the stack to be overwritten. Among these values are saved registers, such as the program counter and return address. With a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker.”
If successfully exploited, the vulnerabilities can give attackers “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,” the researchers explained, adding that attackers could intercept private messages, redirect traffic, add the modems to botnets, replace their firmware and more. They could also direct the modem to ignore remote system updates, which could complicate any patching process.
This post was updated at 11:30 a.m. ET on Jan, 14, 2020 to include statements from the top U.S. cable companies.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.