Exploit that gives remote access affects ~200 million cable modems (ars technica)

Posted Jan 14, 2020 17:36 UTC (Tue) by hmh (subscriber, #3838)
In reply to: Exploit that gives remote access affects ~200 million cable modems (ars technica) by Cyberax
Parent article: Exploit that gives remote access affects ~200 million cable modems (ars technica)

It is your bog standard "man-in-the-browser attack vector to the subnet gateway", being used to deliver an attack (specific to the firmware on those cable modems, likely something from a chipset vendor SDK) to escalate privileges using an vulnerable service in those cable modems that is left wide-open to the LAN.

Man-in-the-browser as an attack vector is so common, it is not funny: it is an expected misuse case.

Setting the CPE to bridge mode, adding an openwrt-based router to the front of that CPE, and firewalling off the CPE's administrative IP addresses (which will be still active and answering to traffic even in bridge mode) is a very good idea. Just do it. And don't you dare forget that the CPE might answer on several IPv6 addresses too, those also need to be blocked somehow.

That setup will protect the cable modem from man-in-the-browser attacks from the LAN side. Hopefully, the CPE does not have a shadow partition to allow the ISP to deploy "City-wide WiFi hotspot coverage", or the CPE vendor DID actually partition it so well it doesn't expose anything.

Note that OpenWRT is not safe out-of-the-box to man-in-the-browser either. It comes without a password with full access from the LAN wired ports. You must set a strong administration password if you don't want to get p0wn3d through a man-in-the-browser trivial no-password-or-common-password attack.

Not to mention some of the LuCI extensions to OpenWRT do not require the user to be logged in to provide service, and that can also be a concern.