#VU8054 Firewall bypass in NVG599 and NVG589
Published: August 31, 2017 / Updated: August 31, 2017
Vulnerability identifier: #VU8054
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
NVG599
NVG589
NVG599
NVG589
Software vendor:
Arris
Arris
Description
The vulnerability allows a remote attacker to bypass firewall on the target device.
The weakness exist due to a flaw in service on port 49152. A remote attacker with knowledge of a modem's public IP address can send a specially crafted HTTP request, bypass the modem's internal firewall and open a TCP proxy connection to the device and perform brute-force attack that may allow to exploit other 4 vulnerabilities.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exist due to a flaw in service on port 49152. A remote attacker with knowledge of a modem's public IP address can send a specially crafted HTTP request, bypass the modem's internal firewall and open a TCP proxy connection to the device and perform brute-force attack that may allow to exploit other 4 vulnerabilities.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Using Burpsuite or some other application, which lets you customize web requests, submit the following request from to the gateway’s external IP address from outside of the LAN.
POST /caserver HTTP/1.1
Host: FIXMYMODEM
Authorization: Basic dGVjaDo=
User-Agent: Fixmymodem
Connection: Keep-Alive
Content-Length: 77
appid=001&set_data=fixit;chmod 000 /var/caserver/caserver;fixit