Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Network Wireless Networking Communications Networking The Internet United States News Technology

Over 135 Million Routers Vulnerable To Denial-of-service Flaw (zdnet.com) 115

schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.
This discussion has been archived. No new comments can be posted.

Over 135 Million Routers Vulnerable To Denial-of-service Flaw

Comments Filter:
  • Modem â Router (Score:5, Informative)

    by nuckfuts ( 690967 ) on Saturday April 09, 2016 @02:06AM (#51873371)
    It's a cable modem.
    • by Anonymous Coward

      Apparently ZDNet doesn't know the difference between a router and a cable modem.

    • Hell, consumer routers barely qualify as routers. Even top of the line Netgear and Linksys ones don't support any routing protocols (RIP/OSPF/BGP).
      • by KGIII ( 973947 )

        Hmm... Does a cable modem actually modulate and demodulate the signal or does it just route the signal at the end?

        • by msauve ( 701917 )
          CMs don't route anything. They're more like Ethernet to DOCSIS bridges. They use IP for configuration/management, but you could theoretically use non-IP protocols through them (Good luck finding a service provider who would do anything with an IPX or AppleTalk packet)
  • by Anonymous Coward

    Jesus fucking christ are coders STILL writing shit like this, in 2016? Why is it not drilled into the skulls of ANYONE who ever goes near a code editor that:

    You DO NOT construct SQL strings by concatenating shit together
    You DO NOT allow GET requests to perform any non-idempotent or destructive action
    You DO NOT fire back user entered text without sanitising the shit out of it, ESPECIALLY to remove tags

    Just follow these three rules and 99% of the web app disasters out there will be avoided.

    • This doesn't rely on 'special' input to any field or form. This depends entirely on the fact that the convenient web interface to SB6141 has no login and includes a one-step reset button with zero confirmation. If you can check the status of your modem, an attacker can get you to reset your modem by including the reset URL as an automatically-loaded img, script, or style link. There are probably other such easy-configuration modems out there, but SB6141 is extremely popular.

      You want to get mad at coders,

      • It astounds me that I, a minimally-skilled guy coding away in a home office, apparently have better security practices than huge, multi-billion dollar companies like Motorola, Twitter, Facebook, IBM, Sony, Home Depot, Target, JPMorgan, Instagram, Premera Blue Cross, etc etc etc.

        I see this ALL THE FUCKING TIME, and it never ceases to amaze me. I'm basically Joe Shmoe, and yet my lame-ass code routinely screens out these kinds of abuses and exploits. Am I that smart, or are they that dumb??

        I would never dream

        • by KGIII ( 973947 )

          Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? (I'd ask myself the same thing, by the way.)

          This is not meant as a slight nor is it intended to be in any way derogatory. Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?

          I mean, I think one of my first interactions with you was my telling you about my Perl "safelist" script that I'd authored for a friend - and that I still b

          • Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? . . . Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?

            I've no doubt that these companies face way more hackers and attempts than I do, and probably by people way more skilled than those who attack my sites. I'm sure that more capable hackers are trying to get into the DOD than to any of my sites (but who knows?). But with that said, I still see unbelievably dumb stuff done by large companies that should know better, coding up egregiously bad holes that I know I'd never leave open.

            On my side, I do what I can to prevent naughty mischief from occurring.

            One of my

            • by KGIII ( 973947 )

              I've been going over other people's code and giving it a once-over before I even install it. Man, that's time consuming. *sighs* Then I hack the hell out of it and remove things I don't need. Yup. I'll comment out whole chunks of code, thanks. I've come across about a dozen plug-ins that looked good - until I read the code. They got put into the "do it yourself" pile. *sighs*

              Oh, and I check logs. I'm over on an acquaintance's server in France with a reseller account so I've got pretty decent access, includi

              • I rarely check logs...too time-consuming and I know what I'm gonna see: 5 billion attempts at common exploits from China, Romania, Russia, Cote d'Ivoire, Texas, etc etc etc.

                I just don't have time to paw through all that stuff. I used to, but I just don't bother with it any more.

                Oh well, off to the buffet at Sno Falls, the wife is buying, woo hoo!

                Note to burglars: Not really, I'll be sitting at home in the dark, cleaning my guns and petting the dobermans.

                • by KGIII ( 973947 )

                  LOL Good doggies, good pups... Just a couple of them should be enough to keep the average burglars away. And nah, I don't get much in the way of traffic yet - I haven't even "opened" really. So, not much traffic yet. I see 'em trying and it has been good so far. I am tempted to block who countries though. Enjoy your food.

        • They keep outsourcing it to morons in other countries. I happen to have one of these modems at home. slow clap for Mototrola, shitty modem and phones good job at making the world a more scarier place.
  • by Sycraft-fu ( 314770 ) on Saturday April 09, 2016 @02:18AM (#51873387)

    First off this thing is a modem, not a router. It just handles converting DOCSIS to ethernet, no built in routing capabilities or anything. They do make devices that are all-in-ones, but this one isn't.

    Second, that "135 million" number is a marketing number. It is how many SurfBoard modems, and combo units total Arris claims they've sold, including when it was a Motorola brand. My SB6190, which has been on sale for all of like 5 months, has that same number stamped on it.

    Third, many people are automatically protected by their routers since many routers ship with "disable private networks on WAN interface" turned on by default. That is, of course, a practical solution to the problem on any network. You can filter private networks (or just 192.168.100.1) on your WAN port, to which your modem is attached and then there's no issue.

    Finally, while you could be mildly annoying with it, causing the modem to reboot, that's all you could do. It also wouldn't stick in a loop or anything like that as it requires you to click the link to make this happen.

    So not a brilliant situation, but not really a big problem either. Also despite the scare words of "IPSs would have to roll out the fix" that is precisely what can, and likely will, happen. Your cable modem is under the control of your ISP and they can push new firmware to it when they need to. So fixes don't have to go out to lots of individuals, they just have to get them to the ISPs and then it can be automatically sent to all users. Updating modem firmware is something they do anyhow.

    This is rather click-batey Slashdot piece :P

    • Disabling access to the modem from outside wont protect you from this exploit. If you stumble upon a website or email that contains any resources (including images) that reference a specific path on your modem, the modem reboots (as far as I understand the exploit).
      • No, it will (Score:3, Interesting)

        by Sycraft-fu ( 314770 )

        The way it works is by getting your browser to go to the reboot page. However, if your browser can't, then it won't work. Since blocking the IP on your router will do that, you'll be safe. There is no public access to this interface, you have to get a computer on the local network to access it.

        • Re: (Score:3, Insightful)

          by BronsCon ( 927697 )
          Your browser is, ostensibly, running on a computer local to your network; you might want to think through this once more.
          • by Anonymous Coward

            Since he said he'd block said traffic via his router, it shouldn't be able to reach the cable modem web interfacet. You might want to think through that once.

            • If we're talking about a consumer router (and we are), be aware that the "do not route private IP space" or similar option on most consumer routers only blocks unestablished inbound connections from the WAN port to "non-routable" addresses. If the connection is established (e.g. the user attempts to connect to 192.168.100.1), it will work.

              It's worked that with every consumer router I've ever owned that had such an option for the past 15 years, everything ranging from Belkin to Netgear to Asus to D-Link, w
          • by TCM ( 130219 )

            If the modem is using an RFC1918 address and is sitting on the WAN side of the router and the router is blocking RFC1918 on its WAN interface, what do you think will happen?

            Maybe you should think more or stop posting about topics you don't understand.

            • what makes you think this request will be coming from the WAN side, and going to the WAN interface???
              it's your browser on your LAN that will call the LAN ip address of the modem. So what the hell is the router going to do about it????

              • Go look at your setup: It goes computer -> router -> modem -> ISP. Your computer(s) are on the LAN side wired or wireless. Your modem is on the WAN side. That's the only way your router can route assuming a standard consumer grade router.

                So any traffic to anything on the WAN side, which includes your modem, passes through the router. The router can then, of course, block any of that it likes. Many routers by default block private IP spaces as specified by RFC 1918 on the WAN port since under normal

                • I am seriously not sure why this is something that is seemingly so hard to understand on a geek oriented website.

                  Because there appears to be a misunderstanding of what "blocking private IP spaces" means.

                  No router is blocking 192.168.100.1 by default. This is the standard IP address for the web user interface for cable modems and needs to be accessible from the LAN for modem monitoring and control purposes. On most routers I've never even seen an option to block this address to begin with.

                  • Sonofabitch. I wish I'd know that (address) ten years ago. I spent so many years either directly connected on a managed network or, [shudder] on dialup w/o a modem, I'd never even though to look to see what IP the WAN port was using. Learn something new every day. Thank you, sir.

                    • by KGIII ( 973947 )

                      ...

                      *sighs*

                      It's the first (or second) hop when you traceroute. Normally.

                      Windows, I take it?

                      Press Winkey + R
                      Type CMD
                      Press ENTER
                      Type tracert google.com

                      It's the first or second one normally. If you have one router/modem then it's the first one.

                      kgiii@kgiii-desktop-4:~$traceroute google.com
                      traceroute to google.com (216.58.219.238), 30 hops max, 60 byte packets
                      1 192.168.1.254 (192.168.1.254) 0.472 ms 0.769 ms 1.031 ms

                      So, in my case, it is 192.168.1.254 but some router manufacturers seem to like to ma

                    • No, the IP of the internal interface of the cable modem will not show up in a tracert that originates internally. The IP of the external interface will.

                    • by KGIII ( 973947 )

                      Then they should be the second hop, yes? Unless, as I mentioned, they're one of the ones that puts their configuration page on a separate IP address (I think I called it port by mistake - I was in a rush but it should be reasonably clear). Most of them (and I've used a number) will be the first or, if you have a router in front of it, will give the second when you look? I'm pretty sure that I've seen this countless times. I could have bumped my head but I'm kind of checking the same thing right now and it's

                  • by afidel ( 530433 )

                    You think it's going to be tough to block 192.168.100.1/32 on any reasonable firewall setup?!? You must have zero clue how security works. On my Netgear I could block it in block sites, block services (by blocking access to 80 and 443 on that IP), or by doing a blackhole route for the IP.

                  • Blocking private IP space in this context means that the router has a rule along these lines

                    if (DST Subnet: 10.0.0.0/8 || 172.16.0.0/12 || 192.168.0.0/16 ) && (DST iface = WAN) drop

                    So, in other words, if the destination interface is the WAN port, and the destination subnet is RFC1918 space, drop the packet. Unless the 192.168.100.0/24 subnet exists on the LAN side, and is therefore in the routing table as something more specific than 0.0.0.0, the packets are going to be routed to the default gateway

                  • by qubezz ( 520511 )

                    My SB6140 modem's web interface has two HTML form buttons: either a "reset" which wipes the DOCSYS training info (which can take 5-30 minutes to relearn to re-establish a good connection), or a "reboot". Hitting the first and then the second is maximum denial-of-service. Cable modems have no user password to and no way to set a password (while happily providing root to your ISP), likely all have similar unpassworded reboot buttons.

                    The cable modem web server does not need to be accessible, there is nothing

            • by msauve ( 701917 )
              "If the modem is using an RFC1918 address and is sitting on the WAN side of the router and the router is blocking RFC1918 on its WAN interface, what do you think will happen?"

              Depends. It may mean you won't be able to get to the very useful diagnostic screens on the modem.

              Or, it may not do what you imply at all. The modem may use a simple stateful firewall and only be blocking unassociated inbound packets with an RFC 1918 source IP. Outbound connections to a private IP may still be allowed, along with th
            • I think you'll still be able to access it, as evident by the fact that I have the addected modem an can access it in that configuration.
    • What about customer-owned equipment? Will they push out firmware updates to those, or is that the responsibility of the owner?
      • Who owns the equipment is just a matter of who replaces it if it breaks and maybe if you pay rental fees. From the operational point of view, it is all under the control of the cable company. When you hook up a modem you have to register it with your cable provider or it won't work. Due to the nature of DOCSIS, it isn't a "plug and go" situation they have to have it provisioned on their system. It has to be an approved model too, because they need to be able to send it a boot file which tells it various con

        • 'Yes, the cableco will push firmware' would have been sufficient.
          • 'Yes, the cableco will push firmware' would have been sufficient.

            Most of the people, here, like that kind of information. If you don't, then don't read it...

    • "Your cable modem is under the control of your ISP and they can push new firmware to it when they need to."

      So what you're saying is that we're fucked, right?

  • by pepsikid ( 2226416 ) on Saturday April 09, 2016 @02:31AM (#51873403)

    http://192.168.100.1/Reboot.ht... [192.168.100.1]

    I have it bookmarked so I can freshen up the channels before I do a speedtest.
    Pepper your blogs with this. People clicking it will lose their Internets for 45 seconds.

    • +++ATH0

  • Had assumed since ancient 5121 some 10 years ago this was possible. Even firewalled the modem from LAN as TFA suggests to prevent any kind of scripted data collection or reboot shenanigans.

    There is no login on the surfboard interface, no accounts, no credentials. There are big juicy buttons to reboot and set factory defaults. Comcast's own portal had the browser follow reboot link thru web interface and anyone who wanted could do the same. I could be wrong and it could have been backend SNMP.. Never ac

    • by afidel ( 530433 )

      Reminds me of an ancient rumor for disconnecting modems by sending modem escape sequence in ICMP ping request and waiting for your victim to disconnect themselves by echoing it back.

      Uh, that wouldn't work, the PPP interface and the COM\TTY interface are completely separate entities.

      • by psergiu ( 67614 )

        Actually, it worked.

        You just need to send a ping packet with "[CR][LF]+++ATH0[CR][LF]" as the payload and the poor modem users get disconnected unless they used "ATS2=127" in their init string and/or have disabled ICMP replies.

        • by Cramer ( 69040 )

          Or their modem wasn't a PoS that had no guard time between the +'s to stop this very thing.

  • Bigger news (Score:2, Offtopic)

    by rsilvergun ( 571051 )
    when the *bleep* did Motorola change their name and/or get bought out? And what the heck kinda name is Arris anyway? If Motorola was good enough for the Megadrive and Amiga's 68k it was good enough for me.
    • I think they just sold off their cablemodem division. They continued under another brand name.

  • As I understand it's a modem, not router. So you need either a router or a PPPoE in your computer. My policy is that

    1) the boundary between the Internet and my internal network lies between the equipment I control and equipment I don't control. In other words, either I choose the equipment, flash there anything I want and set any password I want - or this equipment is yours, you must do everything to return it in working order. And if you don't - I either go to some other provider or write a complain to Ros

  • by Anonymous Coward

    "Restricting access to the Surfboard's web interface by using proxy filtering rules, router access control lists or firewall rules will mitigate this vulnerability. To effectively block access, the rules must prevent users on the LAN side of the cable modem from connecting to the web interface's IP address (usually 192.168.100.1)."

    http://www.kb.cert.org/vuls/id/643049

  • I've never heard of this model/brand being used in consumer hardware available in Europe. Are these units mostly sold in the US?
    • Dunno if they are used much though. They support EuroDOCSIS so you can in theory use them everywhere (DOCSIS is for NTSC systems, EuroDOCSIS for PAL). IT is also possible that the same firmware is on units with a different model number or brand in other countries, sometimes a product will be rebadged in different markets.

      It is kinda hard to say. A simple test is to go to 192.168.100.1. If that doesn't come up, then you have nothing to worry about since that's the IP the Arris modems use. If it does come up,

    • It's never "available". It is supplied with the cable internet contract and is usable only where the distribution network for cable TV exists. In Russia there were lots of small cable TV providers so they had an infrastructure to use it as well as inability to use the telecom cabling since the telecom is a monopoly. In Europe it's quite possible that the cable TV and telecoms are the same structures and so it's preferable to use ADSL.

    • by Mashiki ( 184564 )

      Are these units mostly sold in the US?

      US, Canada, Europe. I can't speak for US or Euro ISP's but Rogers [teksavvy.com], Cogeco, and a couple of small ISP's(because of certification for Third Party Internet Acces-TPIA aka companies that buy last mile support) require this modem(or one of several others usually) for new customers. Last year for example on Rogers the SB6141 wasn't approved, this year it's approved. Though my SB6121 made ~4 years ago was approved, then unapproved 6mo later by Rogers.

  • Target and Best Buy, at least (CompUSA, IIRC), sold them retail. I got mine at Target. There's no need for an ISP "fix", if Arris just doesn't use that as an excuse not to provide an update.

    • Yes, there is. DOCSIS doesn't permit user updates of the modem's firmware, because that would allow users to bypass limitations set by the cable provider based on what service they've purchased. Only the cable head-end can download firmware to the modem, so the ISPs have to add the fix to their firmware images and deploy them to the modems. Yeah, I know, but the network design treats the modem as a part of the cable network and not as an end-user device like a router would be. Just remind yourself that the

      • by dltaylor ( 7510 )

        Sorry, but "no". I have already updated it once, back when an earlier vulnerability was found. As long as it's a manufacturer-supplied update, TWC doesn't care.

        • That's strange, because the manufacturer says there are no firmware updates available for the SB6141 (or any of their other cable modems). It's possible to update the firmware of the router portion of their combined products, but that update doesn't touch the cable modem portion. Plus seeing as how the very first thing the cable modem will do after it establishes a connection to the head-end is check it's firmware image against the head-end and download and overwrite if they don't match...

          • by Cramer ( 69040 )

            1.0.6.16 apparently has a "fix" -- they removed the buttons. If all they did was remove the clickable buttons but left the actual "reset.htm" pages in there, then it isn't fixed. As there are legitimate reasons to use those buttons (and no physical reset button), removing them is a Bad Idea(tm).

        • by Cramer ( 69040 )

          DOCSIS 1.0 security specifications REQUIRE firmware downloads through the HFC interface ONLY. Users CANNOT update DOCSIS compliant modems. In fact, END USERS have no access to vendor images in the first place. (If you happen to have your own CMTS, and thus "cable network", then yes, you can load practically anything you want -- i.e. anything the existing firmware will accept.)

          Yes, you can hack your modem... open it, attach a JTAG header, and screw with the system. That is not what we're talking about.

  • [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.]

    [ ( { What is this bizarre thing Slashdot has lately for chucking in brackets } for no good ) reason? ]

    • by Anonymous Coward

      It's a thing that educated people do to mark where a quote has been modified, for example to provide necessary context information or to adapt the grammar to a surrounding sentence, always making sure that the meaning of the quote is not distorted, of course. In this case, note that the part with the brackets is quoted, as indicated by the introduction "schwit1 quotes a report from ZDNet" and the indentation. The first sentence however isn't in the quoted article. It was added to provide context information

  • What about really ancient older models like my parents have from Time Warner Cable, a model SB5101 circa 2001 ? TWC is absolutely awful, not only won't they upgrade the modem, they are the only game in town, and they can't seem to configure a DNS to save their own lives. Their DNS server are on the same subnet on sequential IP's, so that in the event of any disruption, both DNS servers fail together. Sadly the number of interruptions is staggeringly high, and only my addition of an OpenDNS server makes thei

    • Dude, are they paying a rental fee for that modem? If so go to eBay and get another used one for ten bucks like I did, and ask TWC where to return theirs. They have no problem with that, because your folks are the last people to still be renting.

      I hope they're not still renting a land line phone too.

God made machine language; all the rest is the work of man.

Working...