Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability

Venustus

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
Content source
https://www.zdnet.com/article/hundreds-of-millions-of-cable-modems-are-vulnerable-to-new-cable-haunt-vulnerability/
A team of four Danish security researchers has disclosed this week a security flaw that impacts cable modems that use Broadcom chips.
The vulnerability, codenamed Cable Haunt, is believed to impact an estimated 200 million cable modems in Europe alone, the research team said today.
The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality.
On most cable modems, access to this component is limited for connections from the internal network.
The research team says the Broadcom chip spectrum analyzer lacks protection against DNS rebinding attacks, uses default credentials, and also contains a programming error in its firmware.
Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: Andy Ful, LASER_oneXM, blackice and 10 others
Cortex

Cortex

Level 26
Verified
Top Poster
Well-known
Aug 4, 2016
1,465
I suppose the definition of a cable modem differs where you are, BT used Broadcom chips in almost all their hybrid fibre/copper modem for years & still do, in UK a cable modem is usually defined as a none BT Infinity modem? Interesting.
 
  • Like
Reactions: Andy Ful, harlan4096 and Venustus
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,765
Hundreds of millions of cable modems are vulnerable to critical takeover attacks by hackers halfway around the world, researchers said.

The attacks work by luring vulnerable users to websites that serve malicious JavaScript code that's surreptitiously hosted on the site or hidden inside of malicious ads, researchers from Denmark-based security firm Lyrebirds said in a report and accompanying website. The JavaScript then opens a websocket connection to the vulnerable cable modem and exploits a buffer overflow vulnerability in the spectrum analyzer, a small server that detects interference and other connectivity problems in a host of modems from various makers. From there, remote attackers can gain complete control over the modems, allowing them to change DNS settings, make the modem part of a botnet, and carry out a variety of other nefarious actions.
Click to expand...

Complete control
"The vulnerability enables remote attackers to gain complete control of a cable modem, through an endpoint on the modem," Lyrebirds researchers wrote. "Your cable modem is in charge of the Internet traffic for all devices on the network. Cable Haunt might therefore be exploited to intercept private messages, redirect traffic, or participat[e] in botnets."

Advertisement

There are at least two ways the exploit can gain remote access, meaning it can be exploited over the Internet by an attacker who is outside the local network.

The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharingprevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems).

Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code. While Cabe Haunt accesses modems through a browser, the attack can come from any place where running code can reach an IP on the local network.
Click to expand...
 
  • Like
Reactions: Cortex and harlan4096
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,765
The Cable Haunt website isn’t very helpful. A lot of “*Shrugs* and even if the test fails you may still be vulnerable. Just buy a new modem.”

I have a ‘vulnerable’ modem, but there’s a router with a firewall behind it.The Ars discussion is all over the place on what the risk is even blocking 192.168.100.1 (the common router address). They seem to have published this information prematurely.
 
  • Like
Reactions: Cortex and harlan4096
You must log in or register to reply here.

Similar threads

silversurfer
    • +Reputation
    • Like
Crypto Opinions & News 'Randstorm' Vulnerability: Millions of Crypto Wallets Open to Theft
Replies
0
Views
510
Crypto News
silversurfer
silversurfer
upnorth
    • Like
    • Wow
    • +Reputation
Millions of Java Apps Remain Vulnerable to Log4Shell
Replies
0
Views
705
News Archive
upnorth
upnorth
silversurfer
    • Like
    • Wow
    • Sad
Patches for new Retbleed AMD and Intel microprocessor vulnerability may have significant overhead
Replies
4
Views
979
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top