Over 135 Million Routers Vulnerable To Denial-of-service Flaw

schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.

Modem â Router

[nuckfuts]

It's a cable modem.

Re: Modem â Router

[ArmoredDragon]

No it doesn't, when Motorola sold combined modem/gateway units, they were always under the SBG nomenclature, and standalone modems were always just SB. This is the SB6141, which means it's just a modem.

This is all kinds of inaccurate

[Sycraft-fu]

First off this thing is a modem, not a router. It just handles converting DOCSIS to ethernet, no built in routing capabilities or anything. They do make devices that are all-in-ones, but this one isn't.

Second, that "135 million" number is a marketing number. It is how many SurfBoard modems, and combo units total Arris claims they've sold, including when it was a Motorola brand. My SB6190, which has been on sale for all of like 5 months, has that same number stamped on it.

Third, many people are automatically protected by their routers since many routers ship with "disable private networks on WAN interface" turned on by default. That is, of course, a practical solution to the problem on any network. You can filter private networks (or just 192.168.100.1) on your WAN port, to which your modem is attached and then there's no issue.

Finally, while you could be mildly annoying with it, causing the modem to reboot, that's all you could do. It also wouldn't stick in a loop or anything like that as it requires you to click the link to make this happen.

So not a brilliant situation, but not really a big problem either. Also despite the scare words of "IPSs would have to roll out the fix" that is precisely what can, and likely will, happen. Your cable modem is under the control of your ISP and they can push new firmware to it when they need to. So fixes don't have to go out to lots of individuals, they just have to get them to the ISPs and then it can be automatically sent to all users. Updating modem firmware is something they do anyhow.

This is rather click-batey Slashdot piece :P