Over 135 Million Routers Vulnerable To Denial-of-service Flaw

schwit1 quotes a report from ZDNet: [More than 135 million modems are said to be vulnerable to a flaw that can leave users cut-off from the internet -- just by someone clicking on a trick link.] The problem lies with how a widely-used router, the ArrisSurfBoard SB6141, handles authentication and cross-site requests. Arris (formerly Motorola) said that it has sold more than 135 million of the SurfBoard SB6141 routers. That means the millions of Comcast, Time Warner Cable, or Charter customers who are shipped one of these routers when they subscribe are vulnerable. The flaw is so easy to exploit that anyone on an affected network can be tricked into clicking on a specially crafted web page or email. Security researcher David Longenecker, who found the flaws and posted the write-up on the Full Disclosure list earlier this week, released the "exploit" link after Arris stopped responding to emails he sent as part of the responsible disclosure process. There's no practical fix for the flaw, according to Longenecker. "The simplest solution would be a firmware update such that the web [user interface] requires a username and password before allowing disruptive actions such as rebooting or resetting the modem, and that validates that a request originated from the application and not from an external source," he said. But even if Arris released a fix, he said that the cable modems are not upgradable by their owners, meaning the internet provider would have to roll out the fix.

Modem â Router

[nuckfuts]

It's a cable modem.

Re:Modem â Router

[WarJolt]

RTFA. The title is misleading. The vulnerability resets your MODEM and possibly causes reprovisioning due to a factory reset. Some ISPs don't do this automatically for some reason.

Re: Modem â Router

[ArmoredDragon]

No it doesn't, when Motorola sold combined modem/gateway units, they were always under the SBG nomenclature, and standalone modems were always just SB. This is the SB6141, which means it's just a modem.

This is all kinds of inaccurate

[Sycraft-fu]

First off this thing is a modem, not a router. It just handles converting DOCSIS to ethernet, no built in routing capabilities or anything. They do make devices that are all-in-ones, but this one isn't.

Second, that "135 million" number is a marketing number. It is how many SurfBoard modems, and combo units total Arris claims they've sold, including when it was a Motorola brand. My SB6190, which has been on sale for all of like 5 months, has that same number stamped on it.

Third, many people are automatically protected by their routers since many routers ship with "disable private networks on WAN interface" turned on by default. That is, of course, a practical solution to the problem on any network. You can filter private networks (or just 192.168.100.1) on your WAN port, to which your modem is attached and then there's no issue.

Finally, while you could be mildly annoying with it, causing the modem to reboot, that's all you could do. It also wouldn't stick in a loop or anything like that as it requires you to click the link to make this happen.

So not a brilliant situation, but not really a big problem either. Also despite the scare words of "IPSs would have to roll out the fix" that is precisely what can, and likely will, happen. Your cable modem is under the control of your ISP and they can push new firmware to it when they need to. So fixes don't have to go out to lots of individuals, they just have to get them to the ISPs and then it can be automatically sent to all users. Updating modem firmware is something they do anyhow.

This is rather click-batey Slashdot piece :P

Re:This is all kinds of inaccurate

[idontusenumbers]

Disabling access to the modem from outside wont protect you from this exploit. If you stumble upon a website or email that contains any resources (including images) that reference a specific path on your modem, the modem reboots (as far as I understand the exploit).

Secret haxxor exploit link HERE:

[pepsikid]

http://192.168.100.1/Reboot.ht...

I have it bookmarked so I can freshen up the channels before I do a speedtest.
Pepper your blogs with this. People clicking it will lose their Internets for 45 seconds.

No, it will

[Sycraft-fu]

The way it works is by getting your browser to go to the reboot page. However, if your browser can't, then it won't work. Since blocking the IP on your router will do that, you'll be safe. There is no public access to this interface, you have to get a computer on the local network to access it.

Re:No, it will

[BronsCon]

Your browser is, ostensibly, running on a computer local to your network; you might want to think through this once more.

Re:No, it will

[Sycraft-fu]

Go look at your setup: It goes computer -> router -> modem -> ISP. Your computer(s) are on the LAN side wired or wireless. Your modem is on the WAN side. That's the only way your router can route assuming a standard consumer grade router.

So any traffic to anything on the WAN side, which includes your modem, passes through the router. The router can then, of course, block any of that it likes. Many routers by default block private IP spaces as specified by RFC 1918 on the WAN port since under normal circumstances you wouldn't see them on there, only on the LAN side.

I am seriously not sure why this is something that is seemingly so hard to understand on a geek oriented website.

Re:No, it will

[rsmith-mac]

I am seriously not sure why this is something that is seemingly so hard to understand on a geek oriented website.

Because there appears to be a misunderstanding of what "blocking private IP spaces" means.

No router is blocking 192.168.100.1 by default. This is the standard IP address for the web user interface for cable modems and needs to be accessible from the LAN for modem monitoring and control purposes. On most routers I've never even seen an option to block this address to begin with.

It gets updated like any other

[Sycraft-fu]

Who owns the equipment is just a matter of who replaces it if it breaks and maybe if you pay rental fees. From the operational point of view, it is all under the control of the cable company. When you hook up a modem you have to register it with your cable provider or it won't work. Due to the nature of DOCSIS, it isn't a "plug and go" situation they have to have it provisioned on their system. It has to be an approved model too, because they need to be able to send it a boot file which tells it various configuration options it needs. Also their equipment will ask the modem about its firmware, and update it if needed. Often when you first hook up a new modem your purchased it'll come up, get new firmware, and then reboot right away.

There's no difference to their equipment where a modem came from. All it cares about it what model it is. It then looks to see what bootfile and what firmware said modem ought to get.

Re:many were sold retail; no provider access requi

[Todd+Knarr]

Yes, there is. DOCSIS doesn't permit user updates of the modem's firmware, because that would allow users to bypass limitations set by the cable provider based on what service they've purchased. Only the cable head-end can download firmware to the modem, so the ISPs have to add the fix to their firmware images and deploy them to the modems. Yeah, I know, but the network design treats the modem as a part of the cable network and not as an end-user device like a router would be. Just remind yourself that the cable network ends at the Ethernet jack on the back of the modem, not at the coax outlet on the wall.

Re:Modem & Router

[msauve]

Hell, consumer routers barely qualify as routers. Even top of the line Netgear and Linksys ones don't support any routing protocols (RIP/OSPF/BGP).

Re:Modem & Router

[msauve]

CMs don't route anything. They're more like Ethernet to DOCSIS bridges. They use IP for configuration/management, but you could theoretically use non-IP protocols through them (Good luck finding a service provider who would do anything with an IPX or AppleTalk packet)