A team of Danish researchers has disclosed details about a serious security vulnerability that may expose hundreds of millions of cable modems from various manufacturers to complete takeover. The flaw codenamed as Cable Haunt affects a middleware component shipped with some Broadcom chips. It is estimated that the vulnerability impacted more than 200M cable modems in Europe alone, but the researchers say that this figure could be higher as it is hard to determine the total number of exploitable modems.
The vulnerability, tracked as CVE-2019-19494 (SB2020011404, SB2020011406, SB2020011407, SB2020011408), is related to a standard component of Broadcom chips called a spectrum analyzer which is a hardware and software component that secures the modem from signal surges as well as other disturbances coming via the coax cable. It uses a websocket to communicate with the device’s graphical interface in the browser.
The team has found that the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks and also uses default credentials, as well as contains a programming error in its firmware.
While on most cable modems access to the spectrum analyzer is allowed only for connections from the internal network, the flaw can be exploited from internet by tricking target users into visiting a malicious site.
Once gaining remote access to a modem, an attacker can exploit a buffer overflow vulnerability in spectrum analyzer to execute arbitrary code on the device and perform various activities, for example, change default DNS server; launch remote man-in-the-middle attacks; modify the device’s firmware; disable ISP firmware upgrade; change various settings, serial numbers and associated MAC Addresses; recruit target cable modems into botnet.
The researchers say the list of models known to be vulnerable includes the Arris Surfboard SB8200, COMPAL 7284E, COMPAL 7486E, Netgear C6250EMR, Netgear CG3700EMR, Netgear CM1000, Netgear CM1000-1AZNAS, Sagemcom Fast 3686, Sagemcom Fast 3890, Technicolor TC4400 and Technicolor TC7230, although some firmware versions of those models may not be at risk.
The research team has set up a dedicated website containing more detailed technical info about Cable Haunt attacks and released a proof-of-concept (PoC) exploit that allows users to determine whether a cable modem is vulnerable to this new threat.