'Cable Haunt' Modem Flaw Leaves 200 Million Devices at RiskResearchers: Buffer Overflow Allows Attackers to Seize Full Control of Unpatched Devices
Security researchers have disclosed serious flaws in hundreds of millions of cable modems that they say could be exploited without leaving a trace.
See Also: The Weaponization of IoT Devices
The researchers say the flaw exists in middleware built into chips manufactured by semiconductor giant Broadcom that are widely used in cable modems. Due to a websocket implementation flaw, devices that are only exposed to a local network could still be remotely exploited by attackers via a buffer overflow, allowing them to remotely execute any code on the device.
The research team has dubbed such attacks Cable Haunt and says "an estimated 200 million cable modems in Europe alone" are at risk. They say every cable modem they have tested has been at risk, although some internet service providers have now developed and deployed firmware that mitigates the problem.
Broadcom says it issued updated firmware code to fix the flaw eight months ago. "We have made the relevant fix to the reference code and this fix was made available to customers in May 2019," a spokeswoman tells Information Security Media Group. Service providers who have issued a patch will have based it on Broadcom's code updates.
The vulnerability, originally codenamed "Graffiti," was discovered and has been disclosed by Alexander Dalsgaard Krog, Jens Hegner Stærmose and Kasper Kohsel Terndrup of Danish cybersecurity consultancy Lyrebirds, together with independent security researcher Simon Vandel Sillesen.
Has the flaw been abused by attackers in the wild? "Maybe," the researchers write on the Cable Haunt site. "We haven't found any evidence that suggests abuse, however a fairly skilled person could easily hide their exploitation."
"We have worked hard for nearly a year now to try and spread the information amongst ISPs, manufacturers and suppliers," the researchers write, explaining their decision to publicly disclose the flaw now. "And even while some have been graciously working with us, we could tell that it would have taken us several years to get the information out."
The vulnerability has been designated CVE-2019-19494. Another version of the vulnerability, CVE-2019-19495, only exists in the Technicolor TC7230 modem, as detailed in a 32-page technical report (PDF) released by the researchers.
"Cable Haunt is exploited in two steps," they say. "First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem."
Once attackers gain control of the modem, they could abuse it in multiple ways, the researchers warn:
- DNS: Attackers could change the default DNS server, allowing them to eavesdrop on all traffic.
- MiTM: Man-in-the-middle attacks could be launched against modem users.
- Flash: Attackers could swap out or flash the firmware on devices, as well as disable ISP upgrades.
- Configure: Every configuration file or setting could be altered.
- SNMP: Attackers could alter simple network management protocol information, which is used to monitor device performance and status.
- MAC: All MAC addresses associated with the modem could be changed.
- Serial numbers: Attackers could alter serial numbers.
- Zombie: Vulnerable devices could be pressed into service as "zombie" nodes in a botnet.
So far, the researchers note, five ISPs report having patched all vulnerable devices they've issued to customers:
- TDC in Denmark
- Stofa in Denmark
- Get AS in Norway
- Telia Norway
- Com Hem / Tele2 in Sweden
Which specific makes and models are at risk? The researchers say that ISPs have confirmed to them that these 10 types of modems are vulnerable and need patching to be protected.
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- Technicolor TC7230
- Netgear C6250EMR
- Netgear CG3700EMR
- Sagemcom F@st 3890
- Sagemcom F@st 3686
- Compal 7284E
- Compal 7486E
- Netgear CG3700EMR
In addition, the researchers say that others have found that these five also require firmware fixes.
- Technicolor TC4400
- Surfboard SB8200
- Netgear CM1000
- Netgear CM1000-1AZNAS
- Arris CM8200A
Even so, "if your modem is not in the lists above it could still be vulnerable," the researchers say. They have released a test script via GitHub that can be used by network administrators and cable modem users to evaluate whether their device is at risk.
We've received community reports about the Surfboard SB8200 and TC 4400 being vulnerable to Cable Haunt.— Lyrebirds (@lyrebirds_dk) January 11, 2020
Many of these are used in the US. We have not confirmed this ourselves yet. #cybersecurity #vulnerability #infosec #cablehaunt
While their tests so far appear to have been largely confined to Europe, devices being used in many other regions also likely have the flaw.
Branded: Buffer-Overflow Flaw
The researchers say they're going public now to focus attention on the problem as well as help users to defend themselves.
"Without a way of unifying the issue across vendors, the chances of it being fixed universally were very slim," they say. "At this rate, it would eventually leak out of our hands and into organizations with time and resources to take advantage of the vulnerability. This is not fair for the users and would help expand, on scale, the ever-growing problems with cybersecurity companies and people face every day."
The researchers say they made the controversial decision to brand the flaw - following in the footsteps of Heartbleed, Meltdown, Spectre and others - to also help educate users, get everyone on the same page and drive ISPs to move more quickly (see: Perpetual 'Meltdown': Security in the Post-Spectre Era).
Explaining the name choice, the researchers say the flaw has silently and invisibly haunted cable modems for many years. "Due to its origins in reference code, it will be hard to truly say when it has been exorcised from all affected modems," they say. "Also, Spectre was taken."
This story has been updated with comment from Broadcom.