CSRF Bug in Over 135 Million ARRIS Modems Lets Anyone Factory Reset the Devices

[Karamjit]

Users still exposed, no firmware update available

Pranksters around the world will be happy to find out that there's an easy-to-exploit security bug in the ARRIS (formerly Motorola) SURFboard SB6141 modem that attackers can use to reset and/or factory reset the devices.

The issue solely affects the SURFboard SB6141 model, but the flaw's severity is exacerbated by the sheer numbers of these models currently deployed, which ARRIS estimates to be over 135 million.

As security researcher David Longenecker explains, these cable modems have an unprotected Web-based administration panel that everyone on the local network can access by going to 192.168.100.1.

Attackers can reset modems without needing user interaction

The lack of a password when accessing the modem's most sensitive part means that an attacker can use the admin panel's IP inside scripts to automate attacks.

But what to attack? While tinkering with modem settings might be a good point to start, that's generally useless since no real damage can be done. Except in two cases.

The modem's admin panel includes two controls. One is the "Reset Cable Modem" and the other is the "Reset All Defaults."

ARRIS SURFBoard SB6141 administration panel

 

 

The first causes the modem to restart. This is not a big issue since it only takes three minutes, but can be annoying since it may break live streams or active downloads.

Exploiting the second button is a little bit more dangerous, since besides whipping out the modem's settings, it will also renegotiate its status on the ISP's network.

This action can take up to 30 minutes, but Longenecker says that for some ISPs this might also involve calling the provider (like for Time Warner Cable).

Bug can be used in automated attacks

The researcher says that an attacker could craft a malicious link which, when accessed by a user, will automatically trigger the buttons, via a simple CSRF attack.

Placing links like the ones below as the source parameter of an image (src="malicious_link") is all that's needed.

192.168.100.1/reset.htm
http://192.168.100.1/cmConfigData.htm?BUTTON_INPUT1=Reset+All+Defaults

Because browsers don't care what's inside the image HTML tag's source parameter, they will issue a request to those links automatically.

By placing an image tag that has a malicious link as the image source on any Web page, users that view the page will inadvertently reset their ARRIS SURFboard SB6141 modems, sometimes ending up crashing their local Internet connection without knowing why. There's no user interaction needed.

No firmware update available, users at the mercy of ISPs regardless

The researcher discovered the bug at the start of January, and after informing ARRIS, the company failed to issue a new firmware update at the time of writing.

Since the attack is automated and hard to detect, in this case, users have no method of protecting against it. Even if ARRIS would issue a new firmware update, users can't apply it manually, and they'll still be at the mercy of their ISPs.

From: http://news.softpedia.com/news/csrf-bug-in-over-135-million-arris-modems-lets-anyone-factory-reset-the-devices-502672.shtml

[straycat19]

They should have done more research because every model of the ARRIS SURFboard I have tested has this vulnerability.  I even drove around to some coffee shops, fast food restaurants, and delis and found that their modems are susceptible to this also. This really isn't an issue for home users who lock down their wireless networks and don't allow guest access or use easy passwords.  But a few kids with their phones or small tablets could wreak havoc on free wifi, and, unfortunately, on businesses who also use the same router to process credit card transactions.  (Yeah, they do that on the same network because they are too cheap to setup a separate network for internal use, which is the safe and preferred setup.)

 

[vibranium]

The company will patch it for sure. It is downright embarrassing.

 

[straycat19]

2 hours ago, vibranium said:

The company will patch it for sure. It is downright embarrassing.

 

 

The company may write a patch (firmware upgrade) but how are they going to install it on every single device that is affected.  Most people don't patch their software, update drivers or anything else, so thinking they would run a firmware upgrade on a cable modem is something right out of fantasy land.  It would have to be something the cable companies could do remotely across their network and I don't see that happening.  

[SoftChip]

It's pushed to the devices by the ISP. That is, if the ISP cares...

[vibranium]

3 hours ago, straycat19 said:

 

The company may write a patch (firmware upgrade) but how are they going to install it on every single device that is affected.

 

That's all the company needs to do to get out of a PR and legal nightmare...

 

The ISPs may follow suit.