14 January 2020

Cable Haunt flaw puts 200M+ Broadcom-based cable modems at risk of remote hijacking


Cable Haunt flaw puts 200M+ Broadcom-based cable modems at risk of remote hijacking

A team of Danish researchers has disclosed details about a serious security vulnerability that may expose hundreds of millions of cable modems from various manufacturers to complete takeover. The flaw codenamed as Cable Haunt affects a middleware component shipped with some Broadcom chips. It is estimated that the vulnerability impacted more than 200M cable modems in Europe alone, but the researchers say that this figure could be higher as it is hard to determine the total number of exploitable modems.

The vulnerability, tracked as CVE-2019-19494 (SB2020011404, SB2020011406, SB2020011407, SB2020011408), is related to a standard component of Broadcom chips called a spectrum analyzer which is a hardware and software component that secures the modem from signal surges as well as other disturbances coming via the coax cable. It uses a websocket to communicate with the device’s graphical interface in the browser.

The team has found that the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks and also uses default credentials, as well as contains a programming error in its firmware.

While on most cable modems access to the spectrum analyzer is allowed only for connections from the internal network, the flaw can be exploited from internet by tricking target users into visiting a malicious site.

“Whereas CORS would restrict access to such an endpoint for HTTP requests, websocket is not protected by this protocol. Therefore, it is up to the server to verify the relevant request parameters added by the browser. Because these parameters are never inspected by the cable modem, the websocket will accept requests made by javascript running in the browser regardless of origin, thereby allowing attackers to reach the endpoint. It should be noted that the exploit is not limited to run in a browser. Any place where running code can reach an IP on the local network, can be used to exploit Cable Haunt,” the team explained.

Once gaining remote access to a modem, an attacker can exploit a buffer overflow vulnerability in spectrum analyzer to execute arbitrary code on the device and perform various activities, for example, change default DNS server; launch remote man-in-the-middle attacks; modify the device’s firmware; disable ISP firmware upgrade; change various settings, serial numbers and associated MAC Addresses; recruit target cable modems into botnet.

The researchers say the list of models known to be vulnerable includes the Arris Surfboard SB8200, COMPAL 7284E, COMPAL 7486E, Netgear C6250EMR, Netgear CG3700EMR, Netgear CM1000, Netgear CM1000-1AZNAS, Sagemcom Fast 3686, Sagemcom Fast 3890, Technicolor TC4400 and Technicolor TC7230, although some firmware versions of those models may not be at risk.

The research team has set up a dedicated website containing more detailed technical info about Cable Haunt attacks and released a proof-of-concept (PoC) exploit that allows users to determine whether a cable modem is vulnerable to this new threat.

Back to the list

Latest Posts

Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020
A massive list of Telnet credentials for over half a million servers and smart devices published online

A massive list of Telnet credentials for over half a million servers and smart devices published online

This marks the biggest leak of Telnet passwords up to now.
20 January 2020