|
|
Subscribe / Log in / New account

Exploit that gives remote access affects ~200 million cable modems (ars technica)

Exploit that gives remote access affects ~200 million cable modems (ars technica)

Posted Jan 14, 2020 15:40 UTC (Tue) by Wol (subscriber, #4433)
In reply to: Exploit that gives remote access affects ~200 million cable modems (ars technica) by marcH
Parent article: Exploit that gives remote access affects ~200 million cable modems (ars technica)

> Another, unrelated question: does the vulnerability require the home subnet to include the cable's modem IP address? (192.168.100.1 apparently?)

That's an RFC1918 address, used all the time for NAT'ing, so yes that appears to be the address the modem uses to talk to the home subnet!

Different modems/routers may play with the 3rd octet - it's often 0 or 1, and play with the 4th octet - it's usually 1 or 254, but you can pretty much guarantee on finding your modem or router at that address from your local device. Probably why security-conscious users change the 3rd octet to something random if they can.

Cheers,
Wol

to post comments

Broadcom33xx SoC

Posted Jan 16, 2020 15:42 UTC (Thu) by johnjones (guest, #5462) [Link]

this is a Broadcom Firmware vulnerability and the closed source nature of their Firmware means all those gateways are targets

the ISP normally will be responsible for supplying the Modem and if you are unable to patch it under EU law they might well be liable for damages...

Exploit that gives remote access affects ~200 million cable modems (ars technica)

Posted Jan 20, 2020 1:17 UTC (Mon) by dcoles (subscriber, #80488) [Link]

> Probably why security-conscious users change the 3rd octet to something random if they can.

Somewhat surprisingly, it's actually the people who use the *same* prefix (i.e. 192.168.100.x) that are "safe" with this particular exploit.

To understand why, look at how a typical NAT router + cable modem are set up:

[Computer] -- [NAT Router] -- [Cable Modem] -- [Internet]

Your Cable Modem bridges traffic between your ISP ("The Internet") and your NAT Router, so typically is completely transparent at the IP layer. However it still controls all traffic in/out of your network.

When you try and connect to 192.168.100.1 (and not using 192.168.100.x for your LAN), your computer sends traffic to the default route (the NAT Router, e.g. 192.168.1.1) because it knows this address isn't reachable on the local subnet. Your NAT router will dutifully forward this packet towards it's default route (your ISP) where it is intercepted and handled by the Cable Modem.

Your NAT router rewrites the source address of the packet (e.g. 192.168.1.10), but leaves destination addresses untouched (even if they're RFC 1918 "private" addresses). This is totally legal to do (and many ISPs that use "carrier grade NAT" rely on this), so long as these addresses don't leak out onto the wider "public Internet".

So what happens if your LAN *does* use the same prefix as 192.168.100.1?

Well, in this case your computer thinks that the address should be reachable on the local subnet, thus will never send these packets to the NAT router, thus making the Cable Modem's address unreachable and preventing you from being vulnerable to this exploit.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds