Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability

Discussion in 'hardware' started by mood, Jan 10, 2020.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    28,999
    Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
    Cable modems using Broadcom chips are vulnerable to a new vulnerability
    January 10, 2020

    https://www.zdnet.com/article/hundr...-vulnerable-to-new-cable-haunt-vulnerability/
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,216
    Isn't it considered prudent to put your own router between cable modems and your LAN?
     
  3. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    106
    @mirimir They say the bug could be used to: Change default DNS server, Conduct remote man-in-the-middle attacks, Hot-swap code or even the entire firmware....
    Can any connetion through that router then be trusted (if it gets compromised)?
    For me it seems you "just" need to exploít the websocket of a browser.

    "Because these parameters are never inspected by the cable modem, the websocket will accept requests made by javascript running in the browser regardless of origin, thereby
    allowing attackers to reach the endpoint." ....Once the websocket has been reached, the buffer overflow vulnerability can be exploited.

    I got no clue maybe other members got an idea how to stay save.
     
  4. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    There's not enough information to even publish a listing of which Broadcom chips are vulnerable.

    For now we get in a trickle of hardware model numbers to add to a meager but growing database.

    At this point there is nothing at all about it on Broadcom's home page.

    Best is to keep an eye on
    https://cablehaunt.com/
    and
    https://nvd.nist.gov/vuln/detail/CVE-2019-19494

    And, of course, the support page for your modem.

    As pointed out in various articles, "access to the vulnerable endpoint is gained through a client on the local network." As in your local network, not the internet.
     
    Last edited: Jan 14, 2020
  5. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    106
    @Surt Thanks for the answer. Seems like hope and wait if the isp patches their modems if needed :D

    The CVE states: "which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser". How can it be my local network and not the internet if using a browser? (they even mention Firefox as more resilient in the FAQ on cablehaunt.com)
    If I totally misunderstood the concept of local network have mercy with me. I blame my knowledge/speech barrier (as a defense) :D
     
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    The local network is whatever is connected on "your side" of the modem by a router, or a modem/router combo, with Ethernet (Cat cables) and/or Wi-Fi. The internet is on the "other side" of the modem, the coax cable connected to it.

    The way this kind of attack works, some one on your side does something (by trickery or on purpose) on something on your side which will enable your side capable of dirty deeds on the other side by exploiting something on your side.

    If your modem is successfully attacked, Cable Haunt's dirty deeds will be commanded and controlled (C&C) on your side by some one on the other side for as long as the coax cable is connected to your modem, or you power it off. I believe you can even power down/unplug/disconnect/turn off Wi-Fi everything on your side and the modem, coax cable connected and powered up, of course, will continue to act out.

    No one on the other side can simply scan for vulnerable modems and execute the Cable Haunt code.

    That's my understanding and I could stand to be corrected.

    Your command of American, um, English is far better than those for whom it is native. :D
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,216
    As I understand this, some website exploits your browser. And then your exploited browser exploits your modem/router.

    However, if there's an intervening NAT router, said exploited browser can't reach your modem/router. So you're safe (from this).
     
  8. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,414
    Location:
    USA
    Hats off to my Little Router on the Prairie...
    linksys router.jpg
     
  9. Freki123

    Freki123 Registered Member

    Joined:
    Jan 20, 2015
    Posts:
    106
    @Surt Thanks for the explanation I really appreciate it :)
    Also a big thanks to all the other members for the info.
     
  10. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    Correct. I should have been more specific rather than my "this kind of attack" general detail. For the vast unwashed home and small biz networks in common use, some one in the building has to be using a browser and inadvertently stumble upon the some website. The exploit is not delivered to the modem via the coax cable by some one on a fishing expedition. Which is not to dismiss the serious nature of the issue, which as we all know is not restricted to Cable Haunt.

    Could you cite the source for that conclusion?

    Wouldn't that call for, in its simplest setup, the user would having their modem wired directly from the modem's Ethernet port to their one PC's NIC? Or to a switch (or Wi-Fi AP) or a common router with NAT disabled which would then require each connected device to lease it's own IP address from the ISP?

    As well, many of the known vulnerable devices are modem & NAT router combos.

    Personally though, I can only speak on my experience helping set up friends and relatives some 40+ times over the past 15 years or so; Cox and US West/Century Link won't have it any other way than NAT. Otherwise, I'm certain the vast unwashed masses are using NAT to connect multiple devices in home and small biz networks and nothing I've seen tells they're not vulnerable to Cable Haunt. I think the text string, NAT, would have could everyone's attention.

    It also might be I'm not understanding exactly what you mean by "intervening NAT router."

    Thanks.
     
  11. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    But for the Intel based CM700, apparently all Netgear CM series cable modems are Broadcom and therefore vulnerable.

    jvroom, a user in the Netgear Community, has an interesting post in that navigating to 192.168.100.1:8080 opens the web screen for the vulnerable "ISP side," though it is not mentioned if anything operational, as in tweaking, is accessible by the user. I doubt it. (Port 80 opens the Genie web screen for the user showing operational status, channel bonding lists and logs.)

    And...
    Of course, the addresses for your Netgear modem and your gateway, whatever the brand, might be different.

    While I'm at it, it should be mentioned cable modems are generally upgraded by the ISP regardless of ownership. There are separate versions for ISPs as here, for example:
    https://kb.netgear.com/000036375/What-s-the-latest-firmware-version-of-my-NETGEAR-cable-modem-or-modem-router

    Cheers.
     
    Last edited: Jan 14, 2020
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,216
    Experience.

    So there's the cable modem/router. Then there's a NAT router, with its WAN port connected to the cable modem/router's LAN port.

    But sorry, I neglected to mention that there's a VPN client in the NAT router, with everything forwarded through the tunnel.

    With no VPN, you'd need a rule in the NAT router to block access to the cable modem/router's LAN subnet.
     
  13. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    Interpreted otherwise: With VPN, access to the cable modem/router's LAN subnet is blocked.

    I've worked with VPNs in enterprises though I'd be hard pressed to recall any specific details, the passing years having mashed 'em into a blob of recollections. But the concept of "the tunnel" still resonates. That said, I haven't had any VPN hands on in the home networks I've worked for those with whom I barter services or gift favors.

    Anyhow, no disrespect intended or seeking engagement in a circular discourse, but VPN in this context don't sound right.

    In assessing your logic, with the VPN enabled and blocking the LAN subnet, I couldn't use a browser to open the router's setup pages on 192.168.0.1. Ditto the modem's 192.168.100.1 pages (one being the path traveled to by the attack)?? Or my NAS's setup pages...

    And again, if VPN use rendered the one-time Cable Haunt LAN-side exploit delivery ineffective, how is it that escaped the overwhelming news about it? Including the authors of https://cablehaunt.com who are the folks who discovered it. Surely, VPN would make mention in their FAQ > What should I do? > As a User.

    One could unplug the LAN cable(s) from the modem and the ISP can still access it, change settings, blast new firmware. Aside from the one action on the LAN, a payload delivered to the modem, it's the modem itself that becomes the malicious actor no longer dependent on the LAN.
    BTW! Glancing suspiciously at my "imported" smart hand soap dispenser...
     
  14. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    173
    Location:
    USA
    I have one of those, now residing in my Historic Device Carton.

    The need for a gigabit LAN for efficiant NAS backups required its retirement. :(
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,216
    @Surt - Nothing in your workspace OS can affect the broadband router if it can't reach it.

    So I'm working in a Debian VM. It normally connects through a pfSense VM that connects to an IVPN server. Let's say that the subnet is 192.168.100.0/24. So for testing, I created another pfSense VM, with WAN on that subnet, and LAN 192.168.1.0/24. And then attached this VM to 192.168.1.0/24.

    Now I can reach both 192.168.1.1 and 192.168.100.1 from my browser.

    However, if I add a rule blocking access from LAN to 192.168.100.0/24, 192.168.100.1 is no longer reachable.

    And further, the pfSense gateway VM for IVPN connects through a pfSense gateway VM for another VPN service. And I can't reach its WebGUI from here, because all LAN traffic is forwarded through the IVPN server.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.