Vendors spooked over bug that could open the door to man-in-the-middle attacks and more
Security researchers have discovered a critical vulnerability dubbed ‘Cable Haunt’ that, they say, could affect hundreds of millions of cable modems around the world.
Attackers can gain access to a vulnerable endpoint on the impacted modems through a client on the local network such as a browser. Hitting this endpoint with a buffer overflow attack gives the attacker control of the device.
The vulnerable endpoint – found in certain cable modems running Broadcom firmware – serves a tool called a spectrum analyzer. Importantly, the WebSocket that’s used by this component isn’t protected by the Cross-Origin Resource Sharing (CORS) protocol.
And because the cable modem never inspects the relevant request parameters added by the browser, the WebSocket will accept requests made by JavaScript running in the browser regardless of origin, allowing attackers to reach the endpoint.
The buffer overflow vulnerability can then be exploited to give control to an attacker –potentially allowing them to change the default DNS server, conduct remote man-in-the-middle attacks, and more.
And, say the researchers, because the vulnerability originated in reference software that has apparently been implemented by several cable modem manufacturers, as many as 200 million modems could be affected in Europe alone.
Ghosts in the modem
Alexander Krog, Jens Stærmose, and Kasper Terndrup of Lyrebirds, along with independent researcher Simon Sillesen, said they started investigating the issue a year ago.
"The process was rather long, and had countless dead ends; however, we kept spotting things that made us go: ‘Well, if they made part A with this kind of mistake, then there is probably also something in part B or C’,” Terndrup told The Daily Swig.
“Once we discovered the spectrum analyzer buffer overflow, and the fact that it was available across multiple vendors, we realized that this might be more serious than ‘just another badly made cable modem’.”
Read more of the latest security vulnerability news
Terndup said the team has no way of knowing whether the vulnerability has been exploited in the wild. Doing so would require execution of code on the client side, such as JavaScript in a browser, along with a specially-crafted message which returns oriented programming.
“This might require reverse engineering of the targeted system, and will not be guaranteed to translate across different firmware versions,” he said.
“However, there are many different avenues to exploit this bug, and once control has been obtained by an attacker, it will be hard to detect and remove their access, if they are careful.”
The researchers are calling on ISPs to check whether their devices are affected and, if so, to urge vendors to issue patches.
“We have been declined contact by the vendors we tried to get in touch with, usually with the answer that they prefer to deal with us through the ISPs. This has been rather annoying,” said Terndrup.
A full list of vulnerable modems can be found on the Cable Haunt website.
RELATED Serious vulnerabilities in popular Netgear router can crash your device
