Rewterz Threat Alert – SAIGON Might be Ursnif
January 14, 2020Rewterz Threat Alert – PowerTrick Malware
January 14, 2020Rewterz Threat Alert – SAIGON Might be Ursnif
January 14, 2020Rewterz Threat Alert – PowerTrick Malware
January 14, 2020Severity
High
Analysis Summary
Security researchers have disclosed serious flaws in hundreds of millions of cable modems that they say could be exploited without leaving a trace. The researchers say the flaw exists in middleware built into chips manufactured by semiconductor giant Broadcom that are widely used in cable modems. Due to a websocket implementation flaw, devices that are only exposed to a local network could still be remotely exploited by attackers via a buffer overflow. The buffer overflow flaw exists in the Broadcom chip’s spectrum analyzer, which is meant to identify problems with a cable connection, such as interference. In addition, they report having found other flaws that attackers could also use, including the ability to conduct DNS rebinding – manipulating the resolution of domain names – and to make direct JavaScript requests to devices, aided by hardcoded access credentials built into many cable modems.
CVE-2019-19494
Broadcom based cable modems across multiple vendors are vulnerable to a buffer overflow, which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim’s browser.
CVE-2019-19495
The web interface on the Technicolor TC7230 STEB 01.25 is vulnerable to DNS rebinding, which allows a remote attacker to configure the cable modem via JavaScript in a victim’s browser. The attacker can then configure the cable modem to port forward the modem’s internal TELNET server, allowing external access to a root shell.
Attack Flow:
First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem. Once attackers gain control of the modem, they could abuse it in multiple ways:
DNS: Attackers could change the default DNS server, allowing them to eavesdrop on all traffic.
MiTM: Man-in-the-middle attacks could be launched against modem users.
Flash: Attackers could swap out or flash the firmware on devices, as well as disable ISP upgrades.
Configure: Every configuration file or setting could be altered.
SNMP: Attackers could alter simple network management protocol information, which is used to monitor device performance and status.
MAC: All MAC addresses associated with the modem could be changed.
Serial numbers: Attackers could alter serial numbers.
Zombie: Vulnerable devices could be pressed into service as “zombie” nodes in a botnet.
Even if your modem is not in the list below, it could still be vulnerable. Many other modems are also vulnerable other than the ones mentioned below.
Impact
- Remote Code Execution
- Security Bypass
- Data Manipulation
Affected Vendors
- Sagemcom
- Technicolor
- NETGEAR
- COMPAL
Affected Products
- Technicolor TC7230 STEB 01.25
- Sagemcom F@st 3890 prior to 50.10.21_T4
- Sagemcom F@st 3890 prior to 05.76.6.3f
- Sagemcom F@st 3686 3.428.0
- Sagemcom F@st 3686 4.83.0
- NETGEAR CG3700EMR 2.01.05
- NETGEAR CG3700EMR 2.01.03
- NETGEAR C6250EMR 2.01.05
- NETGEAR C6250EMR 2.01.03
- COMPAL 7284E 5.510.5.11
- COMPAL 7486E 5.510.5.11
Remediation
Only Five ISPs have reportedly patched all vulnerable devices they’ve issued to customers:
- TDC
- Stofa
- Get AS
- Telia
- Com Hem / Tele2
Given below is a Github vulnerability test that can be used by network administrators and cable modem users to evaluate whether their device is at risk.