Patches for three critical vulnerabilities impacting broadband gateways made by Advanced Digital Broadcast (ADB) have been released to the public, nearly two years after the bugs were first found. Issues range from a privilege escalation flaw, an authorization bypass vulnerability and a local jailbreak bug.
Switzerland-based ADB manufactures routers and modems for over two dozen broadband and communications firms globally. The company also counts North America’s third-largest ISP Cox Communication and Charter Communications as customers. Neither Cox nor Charter returned Threatpost inquiries on if or how many of their customers may have been impacted by the vulnerabilities.
A wide range of ADB consumer and small-business broadband equipment is impacted. According to researchers, which are credited for discovering the vulnerabilities, flaws were first identified in equipment in June, 2016 by SEC Consult Vulnerability Lab. The “rollout” phase for patches began July, 2017. Public disclosure of the vulnerability was July 4, 2018.
One of the three critical vulnerabilities (CVE-2018-13108) is a local root jailbreak bug that can be exploited thanks to a network file sharing flaw. “By exploiting the local root vulnerability on affected and unpatched devices an attacker is able to gain full access to the device with highest privileges,” according to researchers.
Researchers said the “network file sharing” feature on ADB broadband devices can be accessed via the networking protocol Samba, used for USB devices. Hackers can abuse the Samba daemon (background process) and access the USB port “with highest access rights and exports the network shares with root user permissions.”
SEC Consult also identified a bug (CVE-2018-13109) in some versions of firmware used in ADB devices that allows an attacker to gain access to device settings otherwise forbidden to the user. “It is also possible to manipulate settings to [for example] enable the telnet server for remote access if it had been previously disabled by the ISP,” researchers wrote. As a prerequisite for the attack, an adversary would need a user account for login such as “the default one provided by the ISP or printed on the device,” researchers wrote.
ADB broadband gateways are also vulnerable to a privilege escalation flaw via Linux group manipulation that could allow an attacker to gain access to the command line interface (CLI) of the device, even if CLI was previously disabled by the ISP. “Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights,” researchers wrote of the bug (CVE-2018-13110).
This hack (privilege escalation via Linux group manipulation) makes it possible for an attacker to manipulate the group name setting of “storage users” on ADB devices and overwrite the local Linux groups called “remoteaccess” or “localaccess” (in /etc/group), which defines access to Telnet or SSH.
According to SEC Consult, ADB has released updated firmware that address each of the vulnerabilities. Impacted are all ADB Broadband Gateways / Routers based on Epicentro platform.
Model numbers for the vulnerable hardware include ADB P.RG AV4202N, DV2210, VV2220, VV5522 and more, according to each of the security bulletins. Based on information available via the company’s website, impacted products may also include EVDSL/G.Fast/Fiber Gateway Dual-band Wireless AC1600 ST6840 and GPON Gateway Dual-band Wireless AC1600 VG4820 – each running the Epicentro platform.