Today, Rapid7 would like to disclose a pair of newly discovered vulnerabilities around consumer and SOHO-grade cable modems, the Arris DOCSIS 3.0 (aka, Touchstone cable modems) and Netmaster Wireless Cable Modems. Both exposures were discovered by Rapid7's Deral Percent_X Heiland and independent researcher Matthew Kienow. The duo plan to discuss these and other common vulnerabilities and configuration issues at DerbyCon near the end of September. In the meantime, let's explore each of these issues in turn.

R7-2014-13: Arris DOCSIS Exposure (CVE-2014-4863)

Affected Devices

ARRIS DOCSIS 3.0 /  Touchstone Wideband Gateway. These devices can be fingerprinted as:

HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.131; MODEL: DG950A.

The devices are manufactured by ARRIS, Information about the company can be found on their website, and the technical specifications of the affected device can be found here (PDF).

Vulnerability Description

By default this device was found exposing critical information via SNMP public community string. According to Shodan over 50,000 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information:

---PASSWORD
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
 
---SSID
1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12
 
---WPA PSK
1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12
 
---WEP
 
WEP 64-bit Network Keys
    Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.1
    Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.2
    Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.3
    Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.4
 
 
WEP 128-bit Network Keys
    Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.1
    Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.2
    Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.3
    Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.4

Disclosure Timeline

Date Description
June 5, 2014 (Thu) Issue discovered and advisory written
June 20, 2014 (Fri) Vendor contact details sought
July 9, 2014 (Mon) Issue disclosed to CERT/CC
August 15, 2014 (Fri) CVE assigned by CERT/CC
August 21, 2014 (Thu) Details published

R7-2014-14: Netmaster Wireless Cable Modem Exposure (CVE-2014-4862)

Affected Devices

Netmaster Wireless Cable Modem. These devices can be fingerprinted as:

HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.3.1; SW_REV: 81.447.392110.729.024; MODEL: CBW700N

The devices are manufactured by Netmaster, Information about the company can be found on their website (Turkish), and these devices are primarily in use in Turkey.

Vulnerability Description

By default this device was found exposing critical information via SNMP public community string. According to Shodan 258,638 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information.

----Username
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
 
----Password
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
 
----SSID
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
 
---WPA PSK
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
 
---WEP
 
WEP 64-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4
 
 
WEP 128-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4

Disclosure Timeline

Date Description
June 5, 2014 (Thu) Issue discovered and advisory written
June 20, 2014 (Fri) Vendor contact details sought
July 9, 2014 (Mon) Issue disclosed to CERT/CC
August 15, 2014 (Fri) CVE assigned by CERT/CC
August 21, 2014 (Thu) Details published
## Exploit / Module Availability

Deral and Matthew intend to make Metasploit modules available to exercise these vulnerabilities near or during Derbycon in late September. In the meantime, these issues can be trivially exercised with common SNMP query tools, such as snmpwalk and the like. If you'd like to race the original researchers in producing modules specific to these issues, you are welcome to open a Pull Request for the Metasploit Framework over on GitHub.