Over 135 Million Routers Vulnerable To Denial-of-service Flaw

schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.

Modem â Router

[nuckfuts]

It's a cable modem.

Re:Modem â Router

It comes in both flavors - The SB6141 itself is just a modem but there is a router variant which probably uses the same modem firmware

Re:Modem â Router

Apparently ZDNet doesn't know the difference between a router and a cable modem.

Re:Modem â Router

[WarJolt]

RTFA. The title is misleading. The vulnerability resets your MODEM and possibly causes reprovisioning due to a factory reset. Some ISPs don't do this automatically for some reason.

Re: Modem â Router

[ArmoredDragon]

No it doesn't, when Motorola sold combined modem/gateway units, they were always under the SBG nomenclature, and standalone modems were always just SB. This is the SB6141, which means it's just a modem.

Re: Modem â Router

Technically, it's not a cable modem, despite everyone (including the manufacturers) calling it thus. It's a terminal adapter.
A modem is responsible for modulating/demodulating an incoming signal, ex. changing an analog signal into a digital signal and vice versa.
A modem can also cause a signal (a frequency) to ride upon another (frequency) thus associated with the term "carrier" wave.
There is no such thing as a cable "modem" that is being used in people's homes.
But who am I to change people's thinking..?

On a separate note;
A "Hacker" is a person who puts together some ad-hoc solution to some problem. A relatively bad solution is also known as a "hack" job.
A "Cracker" is a person who cracks safes, originally. Could be a person who cracks some code, either for good reasons or bad.

I wish the above terms when created and defined, would STAY that way.
Language has a way of drifing...

Re: Modem â Router

[Cramer]

Indeed. And every SB device that's ever been made (all the way back to the SB3100) has had the same "flaw". There is no authentication at all, and if there were, 100% of them would be left at the static, insecure defaults because it's a freakin' modem with nothing to configure. (Or worse, the ISP will set the credentials to some random crap with no mechanism for the user to know them. They already do that with the integrated-router versions.)

(Yes, they *could* use the HFC MAC or SN, but we all know they won't.)

Urggggggggh

Jesus fucking christ are coders STILL writing shit like this, in 2016? Why is it not drilled into the skulls of ANYONE who ever goes near a code editor that:

You DO NOT construct SQL strings by concatenating shit together
You DO NOT allow GET requests to perform any non-idempotent or destructive action
You DO NOT fire back user entered text without sanitising the shit out of it, ESPECIALLY to remove tags

Just follow these three rules and 99% of the web app disasters out there will be avoided.

Re:Urggggggggh

[tburkhol]

This doesn't rely on 'special' input to any field or form. This depends entirely on the fact that the convenient web interface to SB6141 has no login and includes a one-step reset button with zero confirmation. If you can check the status of your modem, an attacker can get you to reset your modem by including the reset URL as an automatically-loaded img, script, or style link. There are probably other such easy-configuration modems out there, but SB6141 is extremely popular.

You want to get mad at coders, fine, but get mad at them for relevant flaws.

Re:Urggggggggh

[JustAnotherOldGuy]

It astounds me that I, a minimally-skilled guy coding away in a home office, apparently have better security practices than huge, multi-billion dollar companies like Motorola, Twitter, Facebook, IBM, Sony, Home Depot, Target, JPMorgan, Instagram, Premera Blue Cross, etc etc etc.

I see this ALL THE FUCKING TIME, and it never ceases to amaze me. I'm basically Joe Shmoe, and yet my lame-ass code routinely screens out these kinds of abuses and exploits. Am I that smart, or are they that dumb??

I would never dream of coding something that included this kind of blatant security hole; it just baffles the hell out of me when I see SQL-injection exploits, GET request exploits, or query-string stupidity like this in modern day code or design.

I mean, HELLO, has no one heard that there are people called "hackers" on the interweb?

As someone else said above, this is 2016- when will these corporate dumbfucks learn to write even minimally secure code??

Re:Urggggggggh

You DO NOT allow GET requests to perform any non-idempotent or destructive action

Haven't you heard? The new hotness is to treat GET requests the same as a function call with no parameters. At least to all of the mouth-breathing JS coders out there, anyway. (And the mouth-breathing frameworks they rely on, too!)

GET is not parameterless.
PUT is not returnless.
DELETE guarantees nothing.
OPTION is a pain in the ass that needs to die.
And POST is not your bitch.

Get off my web server's lawn.

Re:Urggggggggh

[KGIII]

Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? (I'd ask myself the same thing, by the way.)

This is not meant as a slight nor is it intended to be in any way derogatory. Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?

I mean, I think one of my first interactions with you was my telling you about my Perl "safelist" script that I'd authored for a friend - and that I still bumped into some 20 years later. The one which used plain text files which nobody ever tucked into the folders they were supposed to, nobody every CHMODed them the way they were supposed to, and did things like keep the admin password in a plain text file that was supposed to be renamed, put into a separate folder, locked down by CHMOD and .htaccess, and never - ever, had that happen. Ever... And it's still out there...

I'll be the first to admit that I probably shouldn't do much more than edit someone else's code - and maybe not even that. ;-) But, I gave 'em good directions as to how to keep it reasonably secure at the time. That was, pretty much, best policy at the time.

Do you *really* practice better safety than they or is it that you don't code on that scale, get security checked by that many bad people or researchers, or things like that?

It's very, very possible that you do. I do not. :/ (I try, I do try...)

I imagine it's also easier if it's a 'small' project and there's just one person doing the code - so they're aware (hopefully) of what all the other people are saying. (If you're not remembering what all the other voices in your head are telling you then that's kind of scary.) So, you might really be programming with better safety practices than they are - if you answer with an affirmative then I'll certainly believe you.

Now that I think about it, I imagine it's also more difficult to maintain good security with more people - at a certain point. There's always that pesky Law of Diminishing Returns. Always... Plus, there's the adage about a chain only being as strong as the weakest link. Sure, it's a pithy saying but it's true. So, they might have someone like you on their team - maybe even a dozen folks like you and then they've got one guy like me who's just good enough to get his stuff past QA and the automated checking - and not much better. Hey, it build damn it! Err... Where was I?

Oh yeah... So, don't get me wrong; I'll absolutely believe you, if you answer affirmatively, that you practice better safety standards than they do. I suppose we might say that I do but that's kind of a stretch. We didn't have things like automated script installers and Softaculous/Fantastico back in 1998. I had to put it in a readme.txt and nobody ever read the damned thing - or I wrote it like a novella and it was TL;DR. (Probably a little of both.)

Re:Urggggggggh

[bbelt16ag]

They keep outsourcing it to morons in other countries. I happen to have one of these modems at home. slow clap for Mototrola, shitty modem and phones good job at making the world a more scarier place.

Re:Urggggggggh

[JustAnotherOldGuy]

Now, we both know I like ya well enough and I think you're a great guy and all but are you really sure of that? . . . Do you really *know* that you're better than that or is it that their code is distributed to a much wider scope of people?

I've no doubt that these companies face way more hackers and attempts than I do, and probably by people way more skilled than those who attack my sites. I'm sure that more capable hackers are trying to get into the DOD than to any of my sites (but who knows?). But with that said, I still see unbelievably dumb stuff done by large companies that should know better, coding up egregiously bad holes that I know I'd never leave open.

On my side, I do what I can to prevent naughty mischief from occurring.

One of my standard, baked-in bits of code is a sanitizer function. It can be set to allow some stuff in but not others. For example, "allow only numbers and nothing else", or "allow only alphanumeric chars and nothing else", or "allow only alphanumeric and standard punctuation", and so on. So a var coming in that's *supposed* to be only numeric gets set to "only numeric".

It also screens out all sorts of XSS tricks, converts all brackets to HTML entities, cleans up any octal shit or base64 that someone tries to send back, escapes the living shit out of everything, etc etc etc. It limits the length of whatever is coming in to a programmable limit- if I'm expecting 10 chars, it truncates everything down to 10 chars (why would I allow more?). It removes NULL chars, UTF16 two byte encoding, stops directory traversal, defangs URL decode crap, etc etc. It screens for a host of other tricky shit- javascript commands, img lowsrc junk, CSS naughtiness, and so on, including some stuff I won't mention here. :)

I apply this screening function to every bit of data coming in, as well as what comes back out of the database (just in case someone does manage to bypass my input screening and manage to get something directly into the database).

I won't say my sanitizer is perfect, but it's stood the test of time so far. Maybe someday someone will manage to bypass it, but it's taken a pretty good beating so far and hasn't been spoofed to my knowledge. (The usual "I can't know what I don't know" caveats apply.)

My point is, at least I'm trying...whereas some of the exploits I see large companies allow are so mind-numbingly simple/stupid that they make my head spin. They aren't even trying, it's like they're oblivious to some of the oldest and most basic hacks that exist.

Re:Urggggggggh

[KGIII]

I've been going over other people's code and giving it a once-over before I even install it. Man, that's time consuming. *sighs* Then I hack the hell out of it and remove things I don't need. Yup. I'll comment out whole chunks of code, thanks. I've come across about a dozen plug-ins that looked good - until I read the code. They got put into the "do it yourself" pile. *sighs*

Oh, and I check logs. I'm over on an acquaintance's server in France with a reseller account so I've got pretty decent access, including SSH, so I go in and check the logs for irregularities.

At any rate... Yeah, the big companies have done some stupid things over the years but we really only read about it when they screw up. I don't know if I could put that many people together and ensure they wrote bug-free and secure code. Well, no... I'm sure I could. I'm not sure that they'd let me and I'm not sure they'd be willing to pay for it. If that makes sense?

Re:Urggggggggh

[JustAnotherOldGuy]

I rarely check logs...too time-consuming and I know what I'm gonna see: 5 billion attempts at common exploits from China, Romania, Russia, Cote d'Ivoire, Texas, etc etc etc.

I just don't have time to paw through all that stuff. I used to, but I just don't bother with it any more.

Oh well, off to the buffet at Sno Falls, the wife is buying, woo hoo!

Note to burglars: Not really, I'll be sitting at home in the dark, cleaning my guns and petting the dobermans.

Re:Urggggggggh

[KGIII]

LOL Good doggies, good pups... Just a couple of them should be enough to keep the average burglars away. And nah, I don't get much in the way of traffic yet - I haven't even "opened" really. So, not much traffic yet. I see 'em trying and it has been good so far. I am tempted to block who countries though. Enjoy your food.

This is all kinds of inaccurate

[Sycraft-fu]

First off this thing is a modem, not a router. It just handles converting DOCSIS to ethernet, no built in routing capabilities or anything. They do make devices that are all-in-ones, but this one isn't.

Second, that "135 million" number is a marketing number. It is how many SurfBoard modems, and combo units total Arris claims they've sold, including when it was a Motorola brand. My SB6190, which has been on sale for all of like 5 months, has that same number stamped on it.

Third, many people are automatically protected by their routers since many routers ship with "disable private networks on WAN interface" turned on by default. That is, of course, a practical solution to the problem on any network. You can filter private networks (or just 192.168.100.1) on your WAN port, to which your modem is attached and then there's no issue.

Finally, while you could be mildly annoying with it, causing the modem to reboot, that's all you could do. It also wouldn't stick in a loop or anything like that as it requires you to click the link to make this happen.

So not a brilliant situation, but not really a big problem either. Also despite the scare words of "IPSs would have to roll out the fix" that is precisely what can, and likely will, happen. Your cable modem is under the control of your ISP and they can push new firmware to it when they need to. So fixes don't have to go out to lots of individuals, they just have to get them to the ISPs and then it can be automatically sent to all users. Updating modem firmware is something they do anyhow.

This is rather click-batey Slashdot piece :P

Re:This is all kinds of inaccurate

[idontusenumbers]

Disabling access to the modem from outside wont protect you from this exploit. If you stumble upon a website or email that contains any resources (including images) that reference a specific path on your modem, the modem reboots (as far as I understand the exploit).

Re:This is all kinds of inaccurate

[bigfinger76]

What about customer-owned equipment? Will they push out firmware updates to those, or is that the responsibility of the owner?

Re:This is all kinds of inaccurate

None of the routers I own or have configured for other people filter private networks on the WAN side. OpenWRT doesn't, for example. And it would be terrible if they did, because CG-NAT exists: Increasingly often, your first hop on the way to the internet is a private IP address. I could probably get all of the routers to eliminate access to a particular address by using the firewall configuration options or by adding custom routing rules, so remedy for this fuckup is possible. But a) it's still a fuckup, and b) the workaround requires a deep understanding of the problem and the way routers work, neither of which is available to the vast majority of the people whose internet access goes through these modems.

The first step towards ISPs rolling out a fix would be to acknowledge that there is a problem. Communications have broken down, there isn't even a CVE number for the issue. Who is going to authorize the cost of fixing a vulnerability that "doesn't exist"? ARRIS could create an update and ISPs could roll it out. Does it look like that's going to happen anytime soon? No, it does not.

Re: This is all kinds of inaccurate

It isnt just a reboot. It resets to factory defaults, so it wont work at all until your isp reinitializes the config. For some isps, this requires a phone call to support.

Re:This is all kinds of inaccurate

[radarskiy]

"Your cable modem is under the control of your ISP and they can push new firmware to it when they need to."

So what you're saying is that we're fucked, right?

Re: This is all kinds of inaccurate

[Cramer]

What ISP? I want a list. That's not how the modem works. Factory reseting does not delete the modem from the ISP records. The "defaulting" just removes the learned values in the modem that allows it to find the network quickly. Otherwise, it has to search, channel by channel, for the DOCSIS network -- which it will do if it cannot find the network where it last did.

Secret haxxor exploit link HERE:

[pepsikid]

http://192.168.100.1/Reboot.ht...

I have it bookmarked so I can freshen up the channels before I do a speedtest.
Pepper your blogs with this. People clicking it will lose their Internets for 45 seconds.

Re:Secret haxxor exploit link HERE:

http://192.168.100.1/Reboot.ht...

I have it bookmarked so I can freshen up the channels before I do a speedtest.
Pepper your blogs with this. People clicking it will lose their Internets for 45 seconds.

Hahaha! I use network 10.x.x.x because fuck you!

Re:Secret haxxor exploit link HERE:

[BronsCon]

That's all well and good (I do as well), but Motorola/Arris modems have the IP 192.168.100.1 hardcoded, so this will still work regardless.

Re:Secret haxxor exploit link HERE:

[TCM]

If you use 10/8 internally, then your router will either forward packets for 192.168.100.1 to your ISP or drop them entirely. What makes you think just putting a device with 192.168.100.1 on the WAN side of your router makes it reachable if your router doesn't know anything about 192.168.100/24 on that interface?

Seriously, get a clue about networking and routing.

Re:Secret haxxor exploit link HERE:

"Hahaha" it's a joke, dude. Even if the router address is changed, it's still predictable, and a methodical attacker could hide multiple elements in HTML to brute-force exploit the entire RFC 1918 address space.

Re: Secret haxxor exploit link HERE:

I have a Hytron branded gateway/modem fromRogers in Canada and the link above redirected me to a login page, that's it.

Re:Secret haxxor exploit link HERE:

Does not work.

iptables -A FORWARD -d 192.168.100.1 -j DROP

Re: Secret haxxor exploit link HERE:

Yeah my leased comcast arris modem gave me a 404.

Re:Secret haxxor exploit link HERE:

All cable modems have that IP address hardcoded, it is part of the DOCSIS specification. So even if the reset pages doesn't show or there isn't a web server on port 80 or 443, there should be some port open on that host for administration in order to be compliant with the spec.

Re:Secret haxxor exploit link HERE:

Get a clue yourself. Private addresses are non-routable by definition, so they won't be sent to your ISP.

Re:Secret haxxor exploit link HERE:

[radarskiy]

+++ATH0

Damn, denial, back at it again

Stay flaws-in

No, it will

[Sycraft-fu]

The way it works is by getting your browser to go to the reboot page. However, if your browser can't, then it won't work. Since blocking the IP on your router will do that, you'll be safe. There is no public access to this interface, you have to get a computer on the local network to access it.

Re:No, it will

[BronsCon]

Your browser is, ostensibly, running on a computer local to your network; you might want to think through this once more.

Re:No, it will

Since he said he'd block said traffic via his router, it shouldn't be able to reach the cable modem web interfacet. You might want to think through that once.

Re:No, it will

[TCM]

If the modem is using an RFC1918 address and is sitting on the WAN side of the router and the router is blocking RFC1918 on its WAN interface, what do you think will happen?

Maybe you should think more or stop posting about topics you don't understand.

Re:No, it will

[Racemaniac]

what makes you think this request will be coming from the WAN side, and going to the WAN interface???
it's your browser on your LAN that will call the LAN ip address of the modem. So what the hell is the router going to do about it????

Re:No, it will

[Sycraft-fu]

Go look at your setup: It goes computer -> router -> modem -> ISP. Your computer(s) are on the LAN side wired or wireless. Your modem is on the WAN side. That's the only way your router can route assuming a standard consumer grade router.

So any traffic to anything on the WAN side, which includes your modem, passes through the router. The router can then, of course, block any of that it likes. Many routers by default block private IP spaces as specified by RFC 1918 on the WAN port since under normal circumstances you wouldn't see them on there, only on the LAN side.

I am seriously not sure why this is something that is seemingly so hard to understand on a geek oriented website.

Re:No, it will

[rsmith-mac]

I am seriously not sure why this is something that is seemingly so hard to understand on a geek oriented website.

Because there appears to be a misunderstanding of what "blocking private IP spaces" means.

No router is blocking 192.168.100.1 by default. This is the standard IP address for the web user interface for cable modems and needs to be accessible from the LAN for modem monitoring and control purposes. On most routers I've never even seen an option to block this address to begin with.

Re:No, it will

[Overzeetop]

Sonofabitch. I wish I'd know that (address) ten years ago. I spent so many years either directly connected on a managed network or, [shudder] on dialup w/o a modem, I'd never even though to look to see what IP the WAN port was using. Learn something new every day. Thank you, sir.

Re:No, it will

[msauve]

"If the modem is using an RFC1918 address and is sitting on the WAN side of the router and the router is blocking RFC1918 on its WAN interface, what do you think will happen?"

Depends. It may mean you won't be able to get to the very useful diagnostic screens on the modem.

Or, it may not do what you imply at all. The modem may use a simple stateful firewall and only be blocking unassociated inbound packets with an RFC 1918 source IP. Outbound connections to a private IP may still be allowed, along with the return flow. So, the GET would still go to the modem, and cause a reset.

Blocking the modem's IP is not a good solution. Blocking a couple of specific URIs would be much better. Requiring even minimal authentication, such as the modem's MAC address as part of the URI, would be best.

Re:No, it will

Srsly?

Sorry, its just kinda like being told that someone just learned what 127.0.0.1 was.

Re: No, it will

[BronsCon]

I think you'll still be able to access it, as evident by the fact that I have the addected modem an can access it in that configuration.

Re: No, it will

[BronsCon]

Affected, not addected...

Re:No, it will

[afidel]

You think it's going to be tough to block 192.168.100.1/32 on any reasonable firewall setup?!? You must have zero clue how security works. On my Netgear I could block it in block sites, block services (by blocking access to 80 and 443 on that IP), or by doing a blackhole route for the IP.

Re:No, it will

[KGIII]

...

*sighs*

It's the first (or second) hop when you traceroute. Normally.

Windows, I take it?

Press Winkey + R
Type CMD
Press ENTER
Type tracert google.com

It's the first or second one normally. If you have one router/modem then it's the first one.

kgiii@kgiii-desktop-4:~$traceroute google.com
traceroute to google.com (216.58.219.238), 30 hops max, 60 byte packets
  1 192.168.1.254 (192.168.1.254) 0.472 ms 0.769 ms 1.031 ms

So, in my case, it is 192.168.1.254 but some router manufacturers seem to like to make a game out of it - they'll have their interface on a different port. For now, just think of it like that. However, if they have it on a different port and you can connect to it by the network manager then just connect and run netstat -a and you should be all set.

If it's not traceroute then it's tracert in Windows. It has been a minute since I've used a Windows box.

You can probably telnet into your router/modem. That's telnet [ip] and admin admin (or something like that - Google will tell you). Have fun. Go learn the what the command line does and how networking works. Also, learn what command line is good for. It's good for more than just copy/pasting a few lines from Google.

Re:No, it will

[Vertigo+Acid]

Blocking private IP space in this context means that the router has a rule along these lines

if (DST Subnet: 10.0.0.0/8 || 172.16.0.0/12 || 192.168.0.0/16 ) && (DST iface = WAN) drop

So, in other words, if the destination interface is the WAN port, and the destination subnet is RFC1918 space, drop the packet. Unless the 192.168.100.0/24 subnet exists on the LAN side, and is therefore in the routing table as something more specific than 0.0.0.0, the packets are going to be routed to the default gateway (eg. your upstream), and match the above rule and be dropped. If the subnet did exist on the LAN, then a route would exist, it would never match the default gateway and never end up going out the WAN to the cable modem.

Even something old but venerable like the WRT54G has this feature, and enabled by default.

Now, before your router has a public IP on its WAN interface, it is often possible to hit the 192.168.100.1 page from the LAN side - that's because in the interim while a public IP is being acquired, the WAN iface is given something in the 100.x subnet by the cable modem DHCP, and will have 100.1 as a gateway. But once it gets the lease for the actual public IP and real gateway, all of that gets dropped, and you're back to the situation described above

YMMV, but I've never been able to hit my cable modem status page with a default router config, on Comcast, in the decade+ I've had service with numerous routers from cheap throwaway no-names to WISP grade stuff like mikrotik and ubiquiti.

Re:No, it will

[radarskiy]

No, the IP of the internal interface of the cable modem will not show up in a tracert that originates internally. The IP of the external interface will.

Re:No, it will

[BronsCon]

If we're talking about a consumer router (and we are), be aware that the "do not route private IP space" or similar option on most consumer routers only blocks unestablished inbound connections from the WAN port to "non-routable" addresses. If the connection is established (e.g. the user attempts to connect to 192.168.100.1), it will work.

It's worked that with every consumer router I've ever owned that had such an option for the past 15 years, everything ranging from Belkin to Netgear to Asus to D-Link, with stock firmware, DD-WRT, and Tomato. It's working that way for me right now.

That's all the thought I need to give it. In fact, it's more thought that strictly necessary, simply for having to explain it to you.

Re:No, it will

[KGIII]

Then they should be the second hop, yes? Unless, as I mentioned, they're one of the ones that puts their configuration page on a separate IP address (I think I called it port by mistake - I was in a rush but it should be reasonably clear). Most of them (and I've used a number) will be the first or, if you have a router in front of it, will give the second when you look? I'm pretty sure that I've seen this countless times. I could have bumped my head but I'm kind of checking the same thing right now and it's giving me the IP address for the modem (which is not a modem/router combination) as the second hop. In front of it I have a router/firewall. The second address is, currently, 10.0.0.* on this configuration that I send this with.

Re:No, it will

[qubezz]

My SB6140 modem's web interface has two HTML form buttons: either a "reset" which wipes the DOCSYS training info (which can take 5-30 minutes to relearn to re-establish a good connection), or a "reboot". Hitting the first and then the second is maximum denial-of-service. Cable modems have no user password to and no way to set a password (while happily providing root to your ISP), likely all have similar unpassworded reboot buttons.

The cable modem web server does not need to be accessible, there is nothing useful there except signal strength info.

Even if you have a DMZ for WiFi, other users or their malware can probably get to this page and cause annoyance. I just added a rule to my pfSense firewall (goes between the cable modem and the LAN) to drop all LAN traffic destined to 192.168.100.1 and it works.

tell me something I don't know

Uh yeah. I used to denial-of-service myself with UDP floods on an old wi-fi router. The stupid thing crashed during connection tracking for NAT or something. No firmware updates available. Still have it, don't use it anymore. It's just a dumb brick.

If you want something that you can fix yourself, you build your own router from scratch. I could, but I don't want to, because I'm cheap and I'm lazy and I don't fucking care.

This can't be news...

[WaffleMonster]

Had assumed since ancient 5121 some 10 years ago this was possible. Even firewalled the modem from LAN as TFA suggests to prevent any kind of scripted data collection or reboot shenanigans.

There is no login on the surfboard interface, no accounts, no credentials. There are big juicy buttons to reboot and set factory defaults. Comcast's own portal had the browser follow reboot link thru web interface and anyone who wanted could do the same. I could be wrong and it could have been backend SNMP.. Never actually tried it but always assumed it worked that way.

If Arris pushes a fix I hope they also send X-Frame-Options or someone will just create a clickjack version of the same problem.

Reminds me of an ancient rumor for disconnecting modems by sending modem escape sequence in ICMP ping request and waiting for your victim to disconnect themselves by echoing it back.

Re:This can't be news...

[afidel]

Reminds me of an ancient rumor for disconnecting modems by sending modem escape sequence in ICMP ping request and waiting for your victim to disconnect themselves by echoing it back.

Uh, that wouldn't work, the PPP interface and the COM\TTY interface are completely separate entities.

Re:This can't be news...

[psergiu]

Actually, it worked.

You just need to send a ping packet with "[CR][LF]+++ATH0[CR][LF]" as the payload and the poor modem users get disconnected unless they used "ATS2=127" in their init string and/or have disabled ICMP replies.

Re:This can't be news...

[Cramer]

Or their modem wasn't a PoS that had no guard time between the +'s to stop this very thing.

Bigger news

[rsilvergun]

when the *bleep* did Motorola change their name and/or get bought out? And what the heck kinda name is Arris anyway? If Motorola was good enough for the Megadrive and Amiga's 68k it was good enough for me.

Re:Bigger news

[pepsikid]

I think they just sold off their cablemodem division. They continued under another brand name.

Re:Bigger news

Motorola used to have two divisions:

Motorola Solutions (RockStar, SurfBoard), and other equipment.

Motorola Mobile (or known as Motorola Problems) which was their phone line.

Motorola Mobile is now part of Lenovo. First thing that happened after that sale was that the Fort Worth phone plant was shuttered, and phones were made in China. And we all know how trustworthy Lenovo is (*cough* Superfish).

Motorola Solutions was bought up by Arris. Arris is the AutoDesk of the TV market now.

familiar

Wow this is right up there with the old IRC trick where you could knock off tons of dialup users by sending a ctcp command of ATH+++

Re: familiar

The plusses come first and there needs to be a pause, and the command is ATH0 to hangup. Amateurs. Sigh.

Re: familiar

Hayes patented the pause, so not all modem manufacturers required it in their modems.

https://en.m.wikipedia.org/wiki/Time_Independent_Escape_Sequence

boundary

[Thor+Ablestar]

As I understand it's a modem, not router. So you need either a router or a PPPoE in your computer. My policy is that

1) the boundary between the Internet and my internal network lies between the equipment I control and equipment I don't control. In other words, either I choose the equipment, flash there anything I want and set any password I want - or this equipment is yours, you must do everything to return it in working order. And if you don't - I either go to some other provider or write a complain to Roskomnadzor. It's exactly what happened with my friend and his Motorola DOCSIS modem. The ISP personnel had seizures seeing his number on their phone. They reflashed the modem many times. But he still called them every time the problem occurred. They agreed to pay him to move to any other provider but he refused.

2) Either my router has an ability to install alternative firmwares, or it's not my router. Period.

Fix

"Restricting access to the Surfboard's web interface by using proxy filtering rules, router access control lists or firewall rules will mitigate this vulnerability. To effectively block access, the rules must prevent users on the LAN side of the cable modem from connecting to the web interface's IP address (usually 192.168.100.1)."

http://www.kb.cert.org/vuls/id/643049

Re:Fix

To effectively block access, the rules must prevent users on the LAN side of the cable modem from connecting to the web interface's IP address (usually 192.168.100.1)."

You don't need to ever reconfigure your modem anyway, right?

Re:Fix

When exactly do you need to do that?

Any situations you need to do that are likely very rare, so when you do, either bypass your router and directly connect to you modem, or reconfigure your router to allow the traffic through for just as long as you need it. It's a little less convenient, but then again, security generally is.

Any impact outside US?

[Idisagree]

I've never heard of this model/brand being used in consumer hardware available in Europe. Are these units mostly sold in the US?

Re:Any impact outside US?

[Thor+Ablestar]

It's never "available". It is supplied with the cable internet contract and is usable only where the distribution network for cable TV exists. In Russia there were lots of small cable TV providers so they had an infrastructure to use it as well as inability to use the telecom cabling since the telecom is a monopoly. In Europe it's quite possible that the cable TV and telecoms are the same structures and so it's preferable to use ADSL.

Re:Any impact outside US?

[Mashiki]

Are these units mostly sold in the US?

US, Canada, Europe. I can't speak for US or Euro ISP's but Rogers, Cogeco, and a couple of small ISP's(because of certification for Third Party Internet Acces-TPIA aka companies that buy last mile support) require this modem(or one of several others usually) for new customers. Last year for example on Rogers the SB6141 wasn't approved, this year it's approved. Though my SB6121 made ~4 years ago was approved, then unapproved 6mo later by Rogers.

many were sold retail; no provider access required

[dltaylor]

Target and Best Buy, at least (CompUSA, IIRC), sold them retail. I got mine at Target. There's no need for an ISP "fix", if Arris just doesn't use that as an excuse not to provide an update.

It gets updated like any other

[Sycraft-fu]

Who owns the equipment is just a matter of who replaces it if it breaks and maybe if you pay rental fees. From the operational point of view, it is all under the control of the cable company. When you hook up a modem you have to register it with your cable provider or it won't work. Due to the nature of DOCSIS, it isn't a "plug and go" situation they have to have it provisioned on their system. It has to be an approved model too, because they need to be able to send it a boot file which tells it various configuration options it needs. Also their equipment will ask the modem about its firmware, and update it if needed. Often when you first hook up a new modem your purchased it'll come up, get new firmware, and then reboot right away.

There's no difference to their equipment where a modem came from. All it cares about it what model it is. It then looks to see what bootfile and what firmware said modem ought to get.

Re:It gets updated like any other

[bigfinger76]

'Yes, the cableco will push firmware' would have been sufficient.

Re:It gets updated like any other

look at you! so edgy! ungrateful little fucking shit

'no!! more information than my brain can consume!!!'

go back to twitter

no - really, go back to twitter

Re:It gets updated like any other

[bigfinger76]

It was just way more information than was necessary. By owning a modem, a user would ostensibly know that they have to call the cable company to provision the device, what models are approved, and so on. The question I asked was simply if the cableco pushed out firmware. That's it, a simple 'yes or no' question.

I do appreciate the answer, albeit long-winded. You, however, can eat shit.

Re:It gets updated like any other

we got an internet tough guy! you so edgy!

twitter is that way /. is for those who can learn

Re:It gets updated like any other

[cwsumner]

'Yes, the cableco will push firmware' would have been sufficient.

Most of the people, here, like that kind of information. If you don't, then don't read it...

Toilet Paper Especailly In Glass House

My router on 192.168.0 routes to 192.168.100 just fine. This is normal. 10 is the same. You in that glass house, put down that hay and use toilet paper like the rest of the 1st world.

They are available worldwide

[Sycraft-fu]

Dunno if they are used much though. They support EuroDOCSIS so you can in theory use them everywhere (DOCSIS is for NTSC systems, EuroDOCSIS for PAL). IT is also possible that the same firmware is on units with a different model number or brand in other countries, sometimes a product will be rebadged in different markets.

It is kinda hard to say. A simple test is to go to 192.168.100.1. If that doesn't come up, then you have nothing to worry about since that's the IP the Arris modems use. If it does come up, then it depends on the specifics of the firmware. The older ones like the SB6141 have a reboot html page you could load, the newer ones do a button click and verification which makes this not work.

Re:many were sold retail; no provider access requi

[Todd+Knarr]

Yes, there is. DOCSIS doesn't permit user updates of the modem's firmware, because that would allow users to bypass limitations set by the cable provider based on what service they've purchased. Only the cable head-end can download firmware to the modem, so the ISPs have to add the fix to their firmware images and deploy them to the modems. Yeah, I know, but the network design treats the modem as a part of the cable network and not as an end-user device like a router would be. Just remind yourself that the cable network ends at the Ethernet jack on the back of the modem, not at the coax outlet on the wall.

Re:many were sold retail; no provider access requi

[dltaylor]

Sorry, but "no". I have already updated it once, back when an earlier vulnerability was found. As long as it's a manufacturer-supplied update, TWC doesn't care.

It's a cable modem dummies

Can't believe a tech site like ZDnet can't tell a cable modem from a router? But obviously if it requires a firmware upgrade to fix this issue, it would have to come form the ISP in a upgrade. Users will not be able to do anything.

[ brackets - brackets - close brackets ]

[wonkey_monkey]

[More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.]

[ ( { What is this bizarre thing Slashdot has lately for chucking in brackets } for no good ) reason? ]

Re:[ brackets - brackets - close brackets ]

It's a thing that educated people do to mark where a quote has been modified, for example to provide necessary context information or to adapt the grammar to a surrounding sentence, always making sure that the meaning of the quote is not distorted, of course. In this case, note that the part with the brackets is quoted, as indicated by the introduction "schwit1 quotes a report from ZDNet" and the indentation. The first sentence however isn't in the quoted article. It was added to provide context information. That's why it was put in brackets. People keep complaining about Slashdot editors not doing their job right, but when they actually follow academic standards for editing, people don't even recognize it.

Re:Modem & Router

[msauve]

Hell, consumer routers barely qualify as routers. Even top of the line Netgear and Linksys ones don't support any routing protocols (RIP/OSPF/BGP).

"anyone on an affected network can be tricked"

Anyone?

Default gateway. Tested and works to this modem

[raymorris]

I use 10.0.2.0/24 as my physical LAN. Which means any OTHER network gets routed to the default gateway, which is the modem.

Most people use 192.168.1.0 on the LAN side. The cable modem isn't on that network either, it's on 192.168.100.1. So the bone-stock default is the same - the modem, on the WAN side, is a different network from the LAN side. What network you use on the LAN doesn't matter, unless you were to also use 192.168.100 on the LAN.

Re:Default gateway. Tested and works to this modem

[TCM]

No, the default gateway is your ISP. Otherwise, your modem would be a router.

Re:Default gateway. Tested and works to this modem

[BronsCon]

So, then, explain how I'm able to access the config interface of my Arris SB6141 at 192.168.100.1 from my laptop at 10.0.0.243? Simple, that is the modem's (hardcoded) address, it sees a packet destined for that address and acts accordingly. Incidentally, this is how (some) managed switches (e.g. those which provide LAN-based management in addition to - or instead of - console-based management) operate, as well. Or are those also routers now?

Re:Default gateway. Tested and works to this modem

[pepsikid]

The modem IS working as a limited router. The fact is, when your router sees packets meant for addresses it doesn't manage, it can send them to the WAN. I've seen this firsthand by having various Linksys routers chained together with each set up to manage a different 192.168.x.1 network. If you're connected farthest from the Internet gateway, you can reach devices on all of the LANs. If you're connected someplace else, you can reach anything on your own LAN and up through the WAN.

The difference with the modem is that it probably drops any packets that aren't headed for proper Internet-routable addresses OR 192.168.100.1
If the modem doesn't drop them, then the ISP certainly does.

Re:Default gateway. Tested and works to this modem

[TCM]

Then it's not just a modem. Do you have a separate router or just your "modem"?

If you have a router, then you're doing an unnecessary double-router setup. If you don't, then the whole point is moot. A modem is transparent to layer 3 and provides a common layer 2 among different layer 1s.

The (separate) router on the LAN side of the modem needs to be aware of the 192.168.100/24 on its WAN side or else it won't know how to reach it on layer 3, regardless of every traffic passing thourgh the modem on layer 2.

Re:Default gateway. Tested and works to this modem

[BronsCon]

SB6141 = modem only. Simple enough to google it or, you know, read the summary. And yes, I have a separate router; because the SB6141 is just a modem.

Re:Default gateway. Tested and works to this modem

[BronsCon]

Nevermind, I should have left it at "simple enough to google it"; after reading the summary again, it looks like it's been edited to be more incorrect, in accordance with Slashdot tradition. And, in case it's not simple enough for you: this should help.

It's both a Modem and Router...

For the dumbasses that keep complaining...
DHCP Server Enabled The SURFboard cable modem can be used as a gateway to the Internet by a maximum of 32 users on a Local Area Network (LAN). When the Cable Modem is disconnected from the Internet, users on the LAN can be dynamically assigned IP Addresses by the Cable Modem DHCP Server. These addresses are assigned from an address pool which begins with 192.168.100.11 and ends with 192.168.100.42. Statically assigned IP addresses for other devices on the LAN should be chosen from outside of this range

Re:It's both a Modem and Router...

[Cramer]

No. It. Is. Not.

If the network is down, then, AND ONLY THEN, will it's DHCP server answer queries. As the network isn't operational, you aren't going anywhere. When the network comes up, you still won't go anywhere with the 100-net addresses. The device is always a "gateway to the internet". That doesn't mean it's a router; a bridge is a gateway as well. (just at a different layer)

I regard this as a feature

Comcast has an annoying habit of assigning me channels with terrible packet loss. My solution was to write a cron job that fetches the "Signals" page ever minute, then examine the SNR and calculate the percent of "Uncorrectable Codewords". If any channel has SNR 2%, then it issues the reboot URL. Life has been sooo much better since I did this!

Re:I regard this as a feature

ARGH! Somehow my post got mangled. Here is the corrected version:

Comcast has an annoying habit of assigning me channels with terrible packet loss. My solution was to write a cron job that fetches the "Signals" page every minute, then examine the SNR and calculate the percent of "Uncorrectable Codewords". If any channel has SNR 2%, then it issues the reboot URL. Life has been sooo much better since I did this!

Re:I regard this as a feature

What did you change?

Re:I regard this as a feature

s/ever/every/, AFAICT

How to mitigate this if you use OpenWRT

If you run OpenWRT on your router, follow these steps to block access to the modem from the LAN/WiFi:

1. In LuCI web interface, go to Network\Firewall.
2. Go to Traffic Rules.
3. Add a new Forward Rule. Name it BlockModem. Source zone is lan and destination zone is wan.
4. On the new rule, set these settings:
4a. Restrict to address family to IPv4 only.
4b. Source zone to Any zone. (Especially important if you also have a guest zone like me.)
4c. Destination address to 192.168.100.1. (Address of cable modem).
4d. Action to reject.
4e. Click Save & Apply.
5. You will have to temporarily disable this rule when you need to check cable modem status in the future. During that time, you'll be vulnerable to the above security flaw.

If the modem has an IPv6 address that also needs blocking, please let me know. :)

Re:How to mitigate this if you use OpenWRT

Thank you for this solution, it seems like it should do it, and it's not limited to just OpenWRT routers.

Re:Modem & Router

[KGIII]

Hmm... Does a cable modem actually modulate and demodulate the signal or does it just route the signal at the end?

Re:Modem & Router

[msauve]

CMs don't route anything. They're more like Ethernet to DOCSIS bridges. They use IP for configuration/management, but you could theoretically use non-IP protocols through them (Good luck finding a service provider who would do anything with an IPX or AppleTalk packet)

Re:Modem & Router

Look what we have here, another know-it-all dumb fuck.

It doesn't have to support routing protocols to be a defined as a router; all it needs to do is forward between networks.

Re:Modem & Router

[bigfinger76]

He said 'barely qualify', which means that they do, in fact, qualify as routers.

Re:Modem & Router

Static routing is still routing. The difference between a switch or hub and a router is the network layer on which they operate. Switches handle frames on layer 2, the data link layer. Routers handle packets on layer 3, the network layer. Consumer routers are routers, and more.

Over decade old vuln

not new but known for over a decade

Don't need to trick user to click anything either. An img tag works just fine.

Older models ?

[Archfeld]

What about really ancient older models like my parents have from Time Warner Cable, a model SB5101 circa 2001 ? TWC is absolutely awful, not only won't they upgrade the modem, they are the only game in town, and they can't seem to configure a DNS to save their own lives. Their DNS server are on the same subnet on sequential IP's, so that in the event of any disruption, both DNS servers fail together. Sadly the number of interruptions is staggeringly high, and only my addition of an OpenDNS server makes their connection function in a great number of instances.

Re:Older models ?

[vandamme]

Dude, are they paying a rental fee for that modem? If so go to eBay and get another used one for ten bucks like I did, and ask TWC where to return theirs. They have no problem with that, because your folks are the last people to still be renting.

I hope they're not still renting a land line phone too.

Re:many were sold retail; no provider access requi

[Todd+Knarr]

That's strange, because the manufacturer says there are no firmware updates available for the SB6141 (or any of their other cable modems). It's possible to update the firmware of the router portion of their combined products, but that update doesn't touch the cable modem portion. Plus seeing as how the very first thing the cable modem will do after it establishes a connection to the head-end is check it's firmware image against the head-end and download and overwrite if they don't match...

Re:many were sold retail; no provider access requi

[Cramer]

DOCSIS 1.0 security specifications REQUIRE firmware downloads through the HFC interface ONLY. Users CANNOT update DOCSIS compliant modems. In fact, END USERS have no access to vendor images in the first place. (If you happen to have your own CMTS, and thus "cable network", then yes, you can load practically anything you want -- i.e. anything the existing firmware will accept.)

Yes, you can hack your modem... open it, attach a JTAG header, and screw with the system. That is not what we're talking about.

Re:many were sold retail; no provider access requi

[Cramer]

1.0.6.16 apparently has a "fix" -- they removed the buttons. If all they did was remove the clickable buttons but left the actual "reset.htm" pages in there, then it isn't fixed. As there are legitimate reasons to use those buttons (and no physical reset button), removing them is a Bad Idea(tm).