Over 135 Million Routers Vulnerable To Denial-of-service Flaw (zdnet.com) 115
schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.
Modem â Router (Score:5, Informative)
Re: (Score:3)
RTFA. The title is misleading. The vulnerability resets your MODEM and possibly causes reprovisioning due to a factory reset. Some ISPs don't do this automatically for some reason.
Re: Modem â Router (Score:4, Informative)
No it doesn't, when Motorola sold combined modem/gateway units, they were always under the SBG nomenclature, and standalone modems were always just SB. This is the SB6141, which means it's just a modem.
Re: (Score:1)
Indeed. And every SB device that's ever been made (all the way back to the SB3100) has had the same "flaw". There is no authentication at all, and if there were, 100% of them would be left at the static, insecure defaults because it's a freakin' modem with nothing to configure. (Or worse, the ISP will set the credentials to some random crap with no mechanism for the user to know them. They already do that with the integrated-router versions.)
(Yes, they *could* use the HFC MAC or SN, but we all know they won
Re: (Score:1)
Apparently ZDNet doesn't know the difference between a router and a cable modem.
Re:Modem & Router (Score:3)
Re: (Score:2)
Hmm... Does a cable modem actually modulate and demodulate the signal or does it just route the signal at the end?
Re: (Score:3)
Re: (Score:2)
Urggggggggh (Score:1)
Jesus fucking christ are coders STILL writing shit like this, in 2016? Why is it not drilled into the skulls of ANYONE who ever goes near a code editor that:
You DO NOT construct SQL strings by concatenating shit together
You DO NOT allow GET requests to perform any non-idempotent or destructive action
You DO NOT fire back user entered text without sanitising the shit out of it, ESPECIALLY to remove tags
Just follow these three rules and 99% of the web app disasters out there will be avoided.
Re: (Score:1)
This doesn't rely on 'special' input to any field or form. This depends entirely on the fact that the convenient web interface to SB6141 has no login and includes a one-step reset button with zero confirmation. If you can check the status of your modem, an attacker can get you to reset your modem by including the reset URL as an automatically-loaded img, script, or style link. There are probably other such easy-configuration modems out there, but SB6141 is extremely popular.
You want to get mad at coders,
Re: (Score:2)
It astounds me that I, a minimally-skilled guy coding away in a home office, apparently have better security practices than huge, multi-billion dollar companies like Motorola, Twitter, Facebook, IBM, Sony, Home Depot, Target, JPMorgan, Instagram, Premera Blue Cross, etc etc etc.
I see this ALL THE FUCKING TIME, and it never ceases to amaze me. I'm basically Joe Shmoe, and yet my lame-ass code routinely screens out these kinds of abuses and exploits. Am I that smart, or are they that dumb??
I would never dream
Re: (Score:2)
Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? (I'd ask myself the same thing, by the way.)
This is not meant as a slight nor is it intended to be in any way derogatory. Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?
I mean, I think one of my first interactions with you was my telling you about my Perl "safelist" script that I'd authored for a friend - and that I still b
Re: (Score:2)
Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? . . . Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?
I've no doubt that these companies face way more hackers and attempts than I do, and probably by people way more skilled than those who attack my sites. I'm sure that more capable hackers are trying to get into the DOD than to any of my sites (but who knows?). But with that said, I still see unbelievably dumb stuff done by large companies that should know better, coding up egregiously bad holes that I know I'd never leave open.
On my side, I do what I can to prevent naughty mischief from occurring.
One of my
Re: (Score:2)
I've been going over other people's code and giving it a once-over before I even install it. Man, that's time consuming. *sighs* Then I hack the hell out of it and remove things I don't need. Yup. I'll comment out whole chunks of code, thanks. I've come across about a dozen plug-ins that looked good - until I read the code. They got put into the "do it yourself" pile. *sighs*
Oh, and I check logs. I'm over on an acquaintance's server in France with a reseller account so I've got pretty decent access, includi
Re: (Score:2)
I rarely check logs...too time-consuming and I know what I'm gonna see: 5 billion attempts at common exploits from China, Romania, Russia, Cote d'Ivoire, Texas, etc etc etc.
I just don't have time to paw through all that stuff. I used to, but I just don't bother with it any more.
Oh well, off to the buffet at Sno Falls, the wife is buying, woo hoo!
Note to burglars: Not really, I'll be sitting at home in the dark, cleaning my guns and petting the dobermans.
Re: (Score:2)
LOL Good doggies, good pups... Just a couple of them should be enough to keep the average burglars away. And nah, I don't get much in the way of traffic yet - I haven't even "opened" really. So, not much traffic yet. I see 'em trying and it has been good so far. I am tempted to block who countries though. Enjoy your food.
Re: (Score:1)
This is all kinds of inaccurate (Score:5, Informative)
First off this thing is a modem, not a router. It just handles converting DOCSIS to ethernet, no built in routing capabilities or anything. They do make devices that are all-in-ones, but this one isn't.
Second, that "135 million" number is a marketing number. It is how many SurfBoard modems, and combo units total Arris claims they've sold, including when it was a Motorola brand. My SB6190, which has been on sale for all of like 5 months, has that same number stamped on it.
Third, many people are automatically protected by their routers since many routers ship with "disable private networks on WAN interface" turned on by default. That is, of course, a practical solution to the problem on any network. You can filter private networks (or just 192.168.100.1) on your WAN port, to which your modem is attached and then there's no issue.
Finally, while you could be mildly annoying with it, causing the modem to reboot, that's all you could do. It also wouldn't stick in a loop or anything like that as it requires you to click the link to make this happen.
So not a brilliant situation, but not really a big problem either. Also despite the scare words of "IPSs would have to roll out the fix" that is precisely what can, and likely will, happen. Your cable modem is under the control of your ISP and they can push new firmware to it when they need to. So fixes don't have to go out to lots of individuals, they just have to get them to the ISPs and then it can be automatically sent to all users. Updating modem firmware is something they do anyhow.
This is rather click-batey Slashdot piece :P
Re: (Score:2)
No, it will (Score:3, Interesting)
The way it works is by getting your browser to go to the reboot page. However, if your browser can't, then it won't work. Since blocking the IP on your router will do that, you'll be safe. There is no public access to this interface, you have to get a computer on the local network to access it.
Re: (Score:3, Insightful)
Re: (Score:1)
Since he said he'd block said traffic via his router, it shouldn't be able to reach the cable modem web interfacet. You might want to think through that once.
Re: (Score:2)
It's worked that with every consumer router I've ever owned that had such an option for the past 15 years, everything ranging from Belkin to Netgear to Asus to D-Link, w
Re: (Score:2)
If the modem is using an RFC1918 address and is sitting on the WAN side of the router and the router is blocking RFC1918 on its WAN interface, what do you think will happen?
Maybe you should think more or stop posting about topics you don't understand.
Re: (Score:2)
what makes you think this request will be coming from the WAN side, and going to the WAN interface???
it's your browser on your LAN that will call the LAN ip address of the modem. So what the hell is the router going to do about it????
Re: (Score:3)
Go look at your setup: It goes computer -> router -> modem -> ISP. Your computer(s) are on the LAN side wired or wireless. Your modem is on the WAN side. That's the only way your router can route assuming a standard consumer grade router.
So any traffic to anything on the WAN side, which includes your modem, passes through the router. The router can then, of course, block any of that it likes. Many routers by default block private IP spaces as specified by RFC 1918 on the WAN port since under normal
Re: (Score:3)
Because there appears to be a misunderstanding of what "blocking private IP spaces" means.
No router is blocking 192.168.100.1 by default. This is the standard IP address for the web user interface for cable modems and needs to be accessible from the LAN for modem monitoring and control purposes. On most routers I've never even seen an option to block this address to begin with.
Re: (Score:2)
Sonofabitch. I wish I'd know that (address) ten years ago. I spent so many years either directly connected on a managed network or, [shudder] on dialup w/o a modem, I'd never even though to look to see what IP the WAN port was using. Learn something new every day. Thank you, sir.
Re: (Score:2)
...
*sighs*
It's the first (or second) hop when you traceroute. Normally.
Windows, I take it?
Press Winkey + R
Type CMD
Press ENTER
Type tracert google.com
It's the first or second one normally. If you have one router/modem then it's the first one.
So, in my case, it is 192.168.1.254 but some router manufacturers seem to like to ma
Re: (Score:2)
No, the IP of the internal interface of the cable modem will not show up in a tracert that originates internally. The IP of the external interface will.
Re: (Score:2)
Then they should be the second hop, yes? Unless, as I mentioned, they're one of the ones that puts their configuration page on a separate IP address (I think I called it port by mistake - I was in a rush but it should be reasonably clear). Most of them (and I've used a number) will be the first or, if you have a router in front of it, will give the second when you look? I'm pretty sure that I've seen this countless times. I could have bumped my head but I'm kind of checking the same thing right now and it's
Re: (Score:2)
You think it's going to be tough to block 192.168.100.1/32 on any reasonable firewall setup?!? You must have zero clue how security works. On my Netgear I could block it in block sites, block services (by blocking access to 80 and 443 on that IP), or by doing a blackhole route for the IP.
Re: (Score:2)
Blocking private IP space in this context means that the router has a rule along these lines
if (DST Subnet: 10.0.0.0/8 || 172.16.0.0/12 || 192.168.0.0/16 ) && (DST iface = WAN) drop
So, in other words, if the destination interface is the WAN port, and the destination subnet is RFC1918 space, drop the packet. Unless the 192.168.100.0/24 subnet exists on the LAN side, and is therefore in the routing table as something more specific than 0.0.0.0, the packets are going to be routed to the default gateway
Re: (Score:2)
My SB6140 modem's web interface has two HTML form buttons: either a "reset" which wipes the DOCSYS training info (which can take 5-30 minutes to relearn to re-establish a good connection), or a "reboot". Hitting the first and then the second is maximum denial-of-service. Cable modems have no user password to and no way to set a password (while happily providing root to your ISP), likely all have similar unpassworded reboot buttons.
The cable modem web server does not need to be accessible, there is nothing
Re: (Score:2)
Depends. It may mean you won't be able to get to the very useful diagnostic screens on the modem.
Or, it may not do what you imply at all. The modem may use a simple stateful firewall and only be blocking unassociated inbound packets with an RFC 1918 source IP. Outbound connections to a private IP may still be allowed, along with th
Re: No, it will (Score:2)
Re: No, it will (Score:2)
Re: (Score:1)
What ISP? I want a list. That's not how the modem works. Factory reseting does not delete the modem from the ISP records. The "defaulting" just removes the learned values in the modem that allows it to find the network quickly. Otherwise, it has to search, channel by channel, for the DOCSIS network -- which it will do if it cannot find the network where it last did.
Re: (Score:2)
It gets updated like any other (Score:3)
Who owns the equipment is just a matter of who replaces it if it breaks and maybe if you pay rental fees. From the operational point of view, it is all under the control of the cable company. When you hook up a modem you have to register it with your cable provider or it won't work. Due to the nature of DOCSIS, it isn't a "plug and go" situation they have to have it provisioned on their system. It has to be an approved model too, because they need to be able to send it a boot file which tells it various con
Re: (Score:2)
Re: (Score:1)
'Yes, the cableco will push firmware' would have been sufficient.
Most of the people, here, like that kind of information. If you don't, then don't read it...
Re: (Score:2)
I do appreciate the answer, albeit long-winded. You, however, can eat shit.
Re: (Score:2)
"Your cable modem is under the control of your ISP and they can push new firmware to it when they need to."
So what you're saying is that we're fucked, right?
Secret haxxor exploit link HERE: (Score:3)
http://192.168.100.1/Reboot.ht... [192.168.100.1]
I have it bookmarked so I can freshen up the channels before I do a speedtest.
Pepper your blogs with this. People clicking it will lose their Internets for 45 seconds.
Re: (Score:2)
Re: (Score:2)
If you use 10/8 internally, then your router will either forward packets for 192.168.100.1 to your ISP or drop them entirely. What makes you think just putting a device with 192.168.100.1 on the WAN side of your router makes it reachable if your router doesn't know anything about 192.168.100/24 on that interface?
Seriously, get a clue about networking and routing.
Default gateway. Tested and works to this modem (Score:2)
I use 10.0.2.0/24 as my physical LAN. Which means any OTHER network gets routed to the default gateway, which is the modem.
Most people use 192.168.1.0 on the LAN side. The cable modem isn't on that network either, it's on 192.168.100.1. So the bone-stock default is the same - the modem, on the WAN side, is a different network from the LAN side. What network you use on the LAN doesn't matter, unless you were to also use 192.168.100 on the LAN.
Re: (Score:2)
No, the default gateway is your ISP. Otherwise, your modem would be a router.
Re: (Score:2)
Re: (Score:2)
Then it's not just a modem. Do you have a separate router or just your "modem"?
If you have a router, then you're doing an unnecessary double-router setup. If you don't, then the whole point is moot. A modem is transparent to layer 3 and provides a common layer 2 among different layer 1s.
The (separate) router on the LAN side of the modem needs to be aware of the 192.168.100/24 on its WAN side or else it won't know how to reach it on layer 3, regardless of every traffic passing thourgh the modem on layer 2.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The modem IS working as a limited router. The fact is, when your router sees packets meant for addresses it doesn't manage, it can send them to the WAN. I've seen this firsthand by having various Linksys routers chained together with each set up to manage a different 192.168.x.1 network. If you're connected farthest from the Internet gateway, you can reach devices on all of the LANs. If you're connected someplace else, you can reach anything on your own LAN and up through the WAN.
The difference with the mod
Re: (Score:2)
+++ATH0
This can't be news... (Score:2)
Had assumed since ancient 5121 some 10 years ago this was possible. Even firewalled the modem from LAN as TFA suggests to prevent any kind of scripted data collection or reboot shenanigans.
There is no login on the surfboard interface, no accounts, no credentials. There are big juicy buttons to reboot and set factory defaults. Comcast's own portal had the browser follow reboot link thru web interface and anyone who wanted could do the same. I could be wrong and it could have been backend SNMP.. Never ac
Re: (Score:2)
Reminds me of an ancient rumor for disconnecting modems by sending modem escape sequence in ICMP ping request and waiting for your victim to disconnect themselves by echoing it back.
Uh, that wouldn't work, the PPP interface and the COM\TTY interface are completely separate entities.
Re: (Score:2)
Actually, it worked.
You just need to send a ping packet with "[CR][LF]+++ATH0[CR][LF]" as the payload and the poor modem users get disconnected unless they used "ATS2=127" in their init string and/or have disabled ICMP replies.
Re: (Score:1)
Or their modem wasn't a PoS that had no guard time between the +'s to stop this very thing.
Bigger news (Score:2, Offtopic)
Re: (Score:2)
I think they just sold off their cablemodem division. They continued under another brand name.
boundary (Score:2)
As I understand it's a modem, not router. So you need either a router or a PPPoE in your computer. My policy is that
1) the boundary between the Internet and my internal network lies between the equipment I control and equipment I don't control. In other words, either I choose the equipment, flash there anything I want and set any password I want - or this equipment is yours, you must do everything to return it in working order. And if you don't - I either go to some other provider or write a complain to Ros
Fix (Score:1)
"Restricting access to the Surfboard's web interface by using proxy filtering rules, router access control lists or firewall rules will mitigate this vulnerability. To effectively block access, the rules must prevent users on the LAN side of the cable modem from connecting to the web interface's IP address (usually 192.168.100.1)."
http://www.kb.cert.org/vuls/id/643049
Any impact outside US? (Score:1)
They are available worldwide (Score:2)
Dunno if they are used much though. They support EuroDOCSIS so you can in theory use them everywhere (DOCSIS is for NTSC systems, EuroDOCSIS for PAL). IT is also possible that the same firmware is on units with a different model number or brand in other countries, sometimes a product will be rebadged in different markets.
It is kinda hard to say. A simple test is to go to 192.168.100.1. If that doesn't come up, then you have nothing to worry about since that's the IP the Arris modems use. If it does come up,
Re: (Score:2)
It's never "available". It is supplied with the cable internet contract and is usable only where the distribution network for cable TV exists. In Russia there were lots of small cable TV providers so they had an infrastructure to use it as well as inability to use the telecom cabling since the telecom is a monopoly. In Europe it's quite possible that the cable TV and telecoms are the same structures and so it's preferable to use ADSL.
Re: (Score:2)
Are these units mostly sold in the US?
US, Canada, Europe. I can't speak for US or Euro ISP's but Rogers [teksavvy.com], Cogeco, and a couple of small ISP's(because of certification for Third Party Internet Acces-TPIA aka companies that buy last mile support) require this modem(or one of several others usually) for new customers. Last year for example on Rogers the SB6141 wasn't approved, this year it's approved. Though my SB6121 made ~4 years ago was approved, then unapproved 6mo later by Rogers.
many were sold retail; no provider access required (Score:2)
Target and Best Buy, at least (CompUSA, IIRC), sold them retail. I got mine at Target. There's no need for an ISP "fix", if Arris just doesn't use that as an excuse not to provide an update.
Re: (Score:3)
Yes, there is. DOCSIS doesn't permit user updates of the modem's firmware, because that would allow users to bypass limitations set by the cable provider based on what service they've purchased. Only the cable head-end can download firmware to the modem, so the ISPs have to add the fix to their firmware images and deploy them to the modems. Yeah, I know, but the network design treats the modem as a part of the cable network and not as an end-user device like a router would be. Just remind yourself that the
Re: (Score:2)
Sorry, but "no". I have already updated it once, back when an earlier vulnerability was found. As long as it's a manufacturer-supplied update, TWC doesn't care.
Re: (Score:2)
That's strange, because the manufacturer says there are no firmware updates available for the SB6141 (or any of their other cable modems). It's possible to update the firmware of the router portion of their combined products, but that update doesn't touch the cable modem portion. Plus seeing as how the very first thing the cable modem will do after it establishes a connection to the head-end is check it's firmware image against the head-end and download and overwrite if they don't match...
Re: (Score:1)
1.0.6.16 apparently has a "fix" -- they removed the buttons. If all they did was remove the clickable buttons but left the actual "reset.htm" pages in there, then it isn't fixed. As there are legitimate reasons to use those buttons (and no physical reset button), removing them is a Bad Idea(tm).
Re: (Score:1)
DOCSIS 1.0 security specifications REQUIRE firmware downloads through the HFC interface ONLY. Users CANNOT update DOCSIS compliant modems. In fact, END USERS have no access to vendor images in the first place. (If you happen to have your own CMTS, and thus "cable network", then yes, you can load practically anything you want -- i.e. anything the existing firmware will accept.)
Yes, you can hack your modem... open it, attach a JTAG header, and screw with the system. That is not what we're talking about.
[ brackets - brackets - close brackets ] (Score:2)
[More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.]
[ ( { What is this bizarre thing Slashdot has lately for chucking in brackets } for no good ) reason? ]
Re: (Score:1)
It's a thing that educated people do to mark where a quote has been modified, for example to provide necessary context information or to adapt the grammar to a surrounding sentence, always making sure that the meaning of the quote is not distorted, of course. In this case, note that the part with the brackets is quoted, as indicated by the introduction "schwit1 quotes a report from ZDNet" and the indentation. The first sentence however isn't in the quoted article. It was added to provide context information
Re: (Score:1)
No. It. Is. Not.
If the network is down, then, AND ONLY THEN, will it's DHCP server answer queries. As the network isn't operational, you aren't going anywhere. When the network comes up, you still won't go anywhere with the 100-net addresses. The device is always a "gateway to the internet". That doesn't mean it's a router; a bridge is a gateway as well. (just at a different layer)
Re: (Score:1)
ARGH! Somehow my post got mangled. Here is the corrected version:
Comcast has an annoying habit of assigning me channels with terrible packet loss. My solution was to write a cron job that fetches the "Signals" page every minute, then examine the SNR and calculate the percent of "Uncorrectable Codewords". If any channel has SNR 2%, then it issues the reboot URL. Life has been sooo much better since I did this!
Older models ? (Score:2)
What about really ancient older models like my parents have from Time Warner Cable, a model SB5101 circa 2001 ? TWC is absolutely awful, not only won't they upgrade the modem, they are the only game in town, and they can't seem to configure a DNS to save their own lives. Their DNS server are on the same subnet on sequential IP's, so that in the event of any disruption, both DNS servers fail together. Sadly the number of interruptions is staggeringly high, and only my addition of an OpenDNS server makes thei
Re: (Score:1)
Dude, are they paying a rental fee for that modem? If so go to eBay and get another used one for ten bucks like I did, and ask TWC where to return theirs. They have no problem with that, because your folks are the last people to still be renting.
I hope they're not still renting a land line phone too.