Intel-Powered Broadband Modems Highly Vulnerable To DoS Attack (dslreports.com)

← Back to Stories (view on slashdot.org)

Intel-Powered Broadband Modems Highly Vulnerable To DoS Attack (dslreports.com)

Posted by EditorDavid on Sunday April 30, 2017 @01:34AM from the OMG-3.5-mbps dept.

"It's being reported by users from the DSLReports forum that the Puma 6 Intel cable modem variants are highly susceptible to a very low-bandwidth denial-of-service attack," writes Slashdot reader Idisagree. The Register reports: Effectively, if there's someone you don't like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their public IP address, you can kick them off the internet, we're told... According to one engineer...the flaw would be "trivial" to exploit in the wild, and would effectively render a targeted box useless for the duration of the attack... "It can be exploited remotely, and there is no way to mitigate the issue."

This is particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit broadband gateways: the devices can be potentially choked and knocked out simply by receiving traffic that's a fraction of the bandwidth their owners are paying for... The Puma 6 chipset is used in a number of ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK.
The original submission also notes there's already a class action lawsuit over the performance of cable modems with Intel's Puma 6 chipset, and adds "It would appear the Atom chip was never going to live up to the task it was designed for."

59 comments

Min score:

Reason:

Sort:

Suing over other people's criminal actions? by Excelcia · 2017-04-30 01:49 · Score: 0

A class action lawsuit that is suing the developer for making a device that is vulnerable to the criminal actions of a third party? Does that mean we can get a class action lawsuit going for all bicycle manufacturers over the number of their bikes that are stolen? How about door manufacturers for all the people that break into houses?
Good luck with that.
1. Re:Suing over other people's criminal actions? by fibonacci8 · 2017-04-30 02:26 · Score: 1
  
  Since your analogy has nothing to do with the linked class action lawsuit I'm guessing you didn't read the article. It pertains to latency issues under typical use that prevent normal function. Third party criminal actions aren't relevant.
  
  --
  Inheritance is the sincerest form of nepotism.
2. Re:Suing over other people's criminal actions? by Letophoro · 2017-04-30 02:33 · Score: 1
  
  The class action lawsuit is not because the chipset is easily subject to DoS attacks. The lawsuit is because the chipset is unsuitable for the purpose for which it was sold and marketed. Any modem based on the chipset may suffer latency of 200ms or more and lose roughly 6% of all the data that is supposed to pass through it.
  The fact that the chipset is subject to a DoS attack that uses a (relatively) trivial amount of bandwidth is just another reason to avoid modems that use it.
3. Re:Suing over other people's criminal actions? by sjames · 2017-04-30 04:01 · Score: 2
  
  Why not? It's supposed to be reasonable secure against such actions. Would you also consider it unreasonable to sue the makers of a "high security lock" that would unlock if you jiggled the door knob?
4. Re:Suing over other people's criminal actions? by bill_mcgonigle · 2017-04-30 05:20 · Score: 2
  
  Would you also consider it unreasonable to sue the makers of a "high security lock" that would unlock if you jiggled the door knob?
  It works the other way around. There's a guy with a YouTube channel about lock picking who says the Big Name in "secure" padlocks has sued him over some of his videos showing how easy they are to defeat.
  Courts are empirically rigged in favor of the corporate interests, against the People, so this isn't terribly surprising.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
5. Re:Suing over other people's criminal actions? by sjames · 2017-04-30 07:28 · Score: 1
  
  That's a great example of why I think a judge should review any lawsuit before the defendant is even bothered with it. It should be shot down immediately.
6. Re: Suing over other people's criminal actions? by Anonymous Coward · 2017-04-30 11:08 · Score: 0
  
  Oh nice, the ability to go to court would get to rest in the hands of one person.
  That's probably going to fix it and not screw anything up at all.
  Yup.
7. Re: Suing over other people's criminal actions? by sjames · 2017-04-30 14:17 · Score: 1
  
  Yes. The thing is, the judge would be charged only with voiding lawsuits that could not win on their face. That is, if everything the plaintiff says is assumed to be true, would it win anything? If the answer is no, the suit goes away. That prevents crap like when someone claimed to be God and that David Copperfield was usurping his divine powers in performance of his tricks. The courts have no jurisdiction over divinity, so the suit goes away. Joe Blow wore a red shirt, so I want $1999! Wearing a red shirt is not a tort, so suit goes away.
  OTOH, badco dumped rat poison in the river and my family got sick? Well, it may or may not be true but if shown in court it would result in damages awarded, so it may proceed.
Atom chip? by thegarbz · 2017-04-30 02:06 · Score: 1

Given that my Atom server has no problem saturating both gigabit network ports at the same time somehow I doubt the problem is the performance of the Atom chip referenced as being beefed up in the summary and more due to a crappy implementation of Puma 6 itself.
1. Re:Atom chip? by Anonymous Coward · 2017-04-30 02:20 · Score: 4, Informative
  
  It's not the Atom cores, it's the bolted on NAT accelerator with 2048 max entries + 30s timeout for UDP "connections" + firmware too stupid to fall back to software NAT when the hardware table is full.
2. Re:Atom chip? by CODiNE · 2017-04-30 02:52 · Score: 4, Interesting
  
  So you just spoof 2048 UDP packets every 30s and they can't send a single packet? That IS trivial.
  
  --
  Cwm, fjord-bank glyphs vext quiz
3. Re:Atom chip? by arglebargle_xiv · 2017-04-30 02:55 · Score: 4, Funny
  
  Intel has acknowledged the bug, caused by missing entries in the lookup table used by the NAT circuitry, but claims that the typical user would only experience it once every 27,000 years so they have no plans to fix it. However, the upcoming Puma 6.9999999975 chipset will contain a fix.
4. Re: Atom chip? by Anonymous Coward · 2017-04-30 03:17 · Score: 0
  
  Or you get your own router, put the cable modem in bridge mode, and the modem no longer has a public IP and isn't NATing anything.
  Which you should have been doing to start with.
5. Re:Atom chip? by rsmith-mac · 2017-04-30 03:38 · Score: 1
  
  Why does a cable modem need a NAT accelerator? It shouldn't be doing NAT to begin with, right? That's the router's job...
6. Re:Atom chip? by Anonymous Coward · 2017-04-30 04:34 · Score: 0
  
  It's a combined modem/router. Don't be obtuse.
7. Re:Atom chip? by Gaygirlie · 2017-04-30 04:46 · Score: 2
  
  I have access to a Puma6-based device and sure, the dual-core Atom is fast enough to do a lot of stuff, but the single ARM-core is excruciatingly slow. And guess what? All the cable-management stuff is relegated to the ARM-core, the web-UI runs on the ARM-core, nearly everything runs on it and the x86-cores, in the meantime, just sit idle -- they are only used for NAS-functionality, streaming DVB-C content and Google Music. It's ridiculous how stupid the whole thing is. The box is also ridiculously easy to cause to crash, it's really easy to break into, even without physical access to the device in the first place and so on.
8. Re:Atom chip? by Anonymous Coward · 2017-04-30 05:20 · Score: 0
  
  It's a combined modem/router/metasploit target for botnets foreign and domestic. Don't be obtuse.
9. Re: Atom chip? by Anonymous Coward · 2017-04-30 05:54 · Score: 0
  
  This. Fuck all in one modems. Waste of time and energy. Separate the functions and he don't with it.
10. Re: Atom chip? by Anonymous Coward · 2017-04-30 05:55 · Score: 0
  
  Be done with it*
  I seriously hate typing on phones. The shit sucks bad man.
11. Re:Atom chip? by thegarbz · 2017-04-30 06:23 · Score: 1
  
  Yeah my point exactly. The Atom itself as a CPU is just fine, and that link back to a previous post talking about newer versions of Atoms is completely unrelated to whatever it is they botched in this implementation.
12. Re:Atom chip? by thegarbz · 2017-04-30 06:24 · Score: 1
  
  Yeah exactly what I was saying. But the last line in the summary makes it seem like the newer Atoms aren't up to the task. That's just plain incorrect.
13. Re: Atom chip? by Anonymous Coward · 2017-04-30 09:09 · Score: 0
  
  "...put the cable modem in bridge mode."
  I cannot do that to the SB6190.
  "...the modem no longer has a public IP and isn't NATing anything."
  The SB6190 offers no such mode. Which Puma-6-based modem devices offer such a mode? Are any such bridge devices compliant with DOCSIS 3.0?
14. Re: Atom chip? by Anonymous Coward · 2017-04-30 09:52 · Score: 0
  
  ^^ me
  I just checked "DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification." Section 5.2.4 states that "DOCSIS requires use of the following Higher Layer Protocols for operation and management of the CM and CMTS: SNMP ... TFTP ... DHCP." (p. 60)
  https://apps.cablelabs.com/specification/CM-SP-MULPIv3.0
  SNMP runs on IP. This will not work in the networks of your imagination in which "the modem no longer has a public IP."
  If you end up needing to buy a DOCSIS 3.0 cable modem, do not buy one with a Puma 6 thinking you can make it a simple layer 2 bridge. While their main role is that of a layer 2 bridge, the implementation of that role is non-trivial.
15. Re:Atom chip? by Anonymous Coward · 2017-05-01 14:09 · Score: 0
  
  Funny thing is, bridging it to null the routing side won't stop the low bandwidth DoS outlined in TFA. Obviously there's more to this problem than routing buffers.
PPPoE Passthrough? by Anonymous Coward · 2017-04-30 02:07 · Score: 0

Does PPPoE bridge mode work as a workaround to this problem? or does the modem still play up?
The new generation of American telecom products by Anonymous Coward · 2017-04-30 02:15 · Score: 0

not only insecure and backdoored by default, they're also very easy to knock out. Yet one more reason to stick to European and Asian products in this segment.
Performance by Anonymous Coward · 2017-04-30 02:23 · Score: 0

the devices can be potentially choked and knocked out simply by receiving traffic that's a fraction of the bandwidth
Fraction is an understatement, More like a fraction of a percent. The device is pretty much useless after 3Mbps.
1. Re:Performance by Anonymous Coward · 2017-04-30 02:31 · Score: 0
  
  Others claiming as low as 1.5Mbps for 50% loss.
2. Re:Performance by Khyber · 2017-04-30 03:20 · Score: 1
  
  It's not the bandwidth, it's the packets per second.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
3. Re:Performance by Anonymous Coward · 2017-04-30 03:27 · Score: 0
  
  If you're going to correct me for simplifying, you'd better be correct yourself. It's not the PPS, but the new states per second.
4. Re:Performance by Anonymous Coward · 2017-04-30 03:39 · Score: 0
  
  Lucky for us that the last state was added in 1959!
5. Re:Performance by Khyber · 2017-04-30 04:40 · Score: 1
  
  The SPS is tied directly to the PPS, thus the PPS is at fault. If you bothered looking at the dozens of test screencaps in the thread, you'd know this.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
6. Re:Performance by Anonymous Coward · 2017-04-30 08:07 · Score: 0
  
  Not if it's a packet for the same state.
7. Re:Performance by Khyber · 2017-04-30 08:09 · Score: 1
  
  Yes, again, if that packet for the same state is not received within a certain timeframe, that entry in the table gets locked up and doesn't clear.
  That implies directly packets per second.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
8. Re: Performance by Anonymous Coward · 2017-04-30 08:59 · Score: 0
  
  So the bug only affects you if you are American?
A modem is NOT a router! by fnj · 2017-04-30 02:41 · Score: 1

I take it this stupid article refers to NAT routers, and not cable modems at all.
Anyone with the slightest bit of savvy runs a straight cable modem connected to a completely separate router. And, having suffered with various commodity routers such as Netgear, they all suck donkey balls. Do what I did. Break down and get a real Sonicwall TZ-170 (used/surplus of course).
1. Re:A modem is NOT a router! by Hachima · 2017-04-30 02:52 · Score: 2
  
  Actually this is a pure cable modem issue. http://www.dslreports.com/tool... is a test that can be used to see if your modem is affected. https://www.dslreports.com/tes... lists some of the affected modems. The ARRIS SB6190 is one of the more popular modems on the list that is affected.
2. Re:A modem is NOT a router! by Anonymous Coward · 2017-04-30 03:08 · Score: 0
  
  Correction: a modem is not necessarily a router. My modem, however, is a router, are are most other modems I've encountered. Modulation/demodulation, network routing and network address translation are 3 different functions that are very often performed by the exact same device, making the terms virtually interchangeable in most circumstances.
3. Re:A modem is NOT a router! by Anonymous Coward · 2017-04-30 03:17 · Score: 0
  
  Why isn't there a -1 Incorrect moderation? You are 100% objectively wrong in your assumption.
4. Re: A modem is NOT a router! by Anonymous Coward · 2017-04-30 03:21 · Score: 0
  
  No. A cable modem is just a modem. The box your ISP gave you probably also contains a router with a NAT firewall, wifi access point, and a switch.
  If you put the modem into bridge mode, it disables everything other than the switch.
5. Re: A modem is NOT a router! by Anonymous Coward · 2017-04-30 03:34 · Score: 0
  
  No. It's a problem with how the NAT firewall handles large numbers of UDP connections.
  Place modem into bridge mode. Use your own router. Problem solved.
6. Re:A modem is NOT a router! by aaarrrgggh · 2017-04-30 03:46 · Score: 1
  
  Everything I am reading suggests it is the router functionality that has issues:
  "The problem appears to be that the x86 CPU in the modem is taking on too much work while processing network packet"
  
  I have a Puma6 device (Linksys CM6190) in bridge mode with a Ubiquity router/firewall and the test site doesn't trigger any issues with increasing latency. I think most ISPs use a management VLAN on the modem as well, but it doesn't seem like that would trigger issues on the customer side.
7. Re: A modem is NOT a router! by Anonymous Coward · 2017-04-30 04:28 · Score: 0
  
  How do you put a SB6190 into bridge mode since its only a modem but has this issue?
8. Re:A modem is NOT a router! by Khyber · 2017-04-30 04:42 · Score: 1
  
  It's not the router, it's the shitty hardware accelerator that can't fail back to software mode when the hardware locks up due to shitty tables.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
9. Re:A modem is NOT a router! by Gaygirlie · 2017-04-30 04:50 · Score: 1
  
  I take it this stupid article refers to NAT routers, and not cable modems at all.
  These devices are actually both routers and cable-modems.
10. Re: A modem is NOT a router! by Brockmire · 2017-04-30 08:50 · Score: 1
  
  How does it have this issue if it doesn't do Nat in modem only bridge mode? Does not compute.
11. Re: A modem is NOT a router! by Anonymous Coward · 2017-04-30 10:40 · Score: 0
  
  The latest theory I heard was that the Intel chip is running a virtual router to do packet processing on the CPU instead offloading it to a hardware based system. There is a backend CPU process that runs every few seconds that takes up a lot of CPU and results in packet processing delays. So even under normal conditions these systems see latency spikes every few seconds. The UDP spam overloads the CPU which prevents the virtual machine from doing its job. https://www.dslreports.com/for... has a very long writeup with a lot of details.
12. Re:A modem is NOT a router! by aaarrrgggh · 2017-05-01 01:41 · Score: 1
  
  Again, everything I am reading and my own experience suggest otherwise:
  "Running the same test in Bridge mode thru an RT-AC68U, all of the cached results are 100% Reliable, so, no packet loss, which is a definite improvement. Only one uncached result had a low score, at 97.9 %, so thats not too bad." [http://www.dslreports.com/forum/r31135629-Modem-Router-Rogers-CODA-4582-modem-now-available-Puma-7-Chipset]
  
  What tables are used, or packet processing is done in bridge mode?
13. Re:A modem is NOT a router! by Khyber · 2017-05-01 01:58 · Score: 1
  
  "Puma-7"
  Considering we're talking about Puma-6 here, not a fucking Puma-7...
  You're obviously not reading the right fucking thing.
  Here's a REAL LINK for you - https://www.dslreports.com/for...
  The one you should've fucking clicked on in the goddamned summary.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
14. Re:A modem is NOT a router! by Khyber · 2017-05-01 02:02 · Score: 1
  
  "What tables are used, or packet processing is done in bridge mode"
  When a bridge receives an IP packet, the gateway processes the packet as follows:
  The destination MAC address is looked up in the bridge's forwarding table.
  If the destination MAC address is found in the forwarding table, the packet is forwarded to the corresponding port.
  If the destination MAC address is not found in the forwarding table, the destination IP address is searched for in all the defined bridge IP address ranges.
  If the destination IP address is found in the bridge IP address range of exactly one port, the IP address is transmitted to that port.
  If the IP address is found in the bridge IP address range of more than one port, the packet is dropped. The gateway then sends an ARP query to each of the relevant ports.
  If a host responds to the ARP request packet with an ARP reply, the forwarding table is updated with the correct association. Subsequent packets will be forwarded using the forwarding table.
  If a bridge receives a non-IP packet, and the bridge is configured to forward non-IP protocol Layer-2 traffic, the gateway processes the packet as follows:
  The destination MAC address is looked up in the bridge's forwarding table.
  If the destination MAC address is found in the forwarding table, the packet is forwarded to the corresponding port.
  If the destination MAC address is not found in the forwarding table, the packet is flooded to all the ports on the bridge.
  PROCESSING HAPPENS NO MATTER WHAT YOUR FUCKING MODE IS.
  Did you fail your basic N+ certification or what?
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Well, an Atom Is a Small Thing by Anonymous Coward · 2017-04-30 02:43 · Score: 0

so that is to be expected.
Makes as much sense as the last sentence in the summary. The Atom (named was changed to protect the innocent) is plenty of pussy for a cable modem/router/Wi-Fi AP.
Whew. by sims+2 · 2017-04-30 03:10 · Score: 3, Funny

Got scared there for a second then I remembered we can't get gigabit here.

--
Minimum threshold fixed. Thanks!
1. Re:Whew. by djc6 · 2017-04-30 03:24 · Score: 3, Informative
  
  Puma 6 chipset has been used in modems/gateways since 2012. Here is a partial list of potentially impacted products:
  Arris SB6190
  Arris TG1672G
  Arris TM1602
  Super Hub 3 (Arris TG2492LG) (commonly - virgin media)
  Hitron CGN3 / CDA / CGNV series modems:
  Hitron CDA-32372
  Hitron CDE-32372
  Hitron CDA3-35
  Hitron CGNV4
  Hitron CGNM-3552 (commonly - Rogers)
  Hitron CGN3 (eg CGN3-ACSMR) 2013 link
  Hitron CGNM-2250 (commonly - Shaw)
  Linksys CM3024
  Linksys CM3016
  TP-Link CR7000
  Netgear AC1750 C6300 AC1900
  Netgear CM700
  Telstra Gateway Max (Netgear AC1900 / C6300) (Australia) 2014 link.
  Cisco DPC3848V (eg High latency/ping to Shaw router? )
  Cisco DPC3941B / DPC3941T (commonly - Comcast Xfinity XB3)
  Cisco DPC3939
  Compal CH7465-LG / Arris TG2492LG (commonly - Virgin Media Hub 3)
  Samsung "Home Media Server"
Potentially *MUCH* worse by ameline · 2017-04-30 04:03 · Score: 3, Informative

There is apparently a packet spray pattern that causes the CableModem (CM) portion of the Puma 6 to reboot. (likely segfault) The CM on a puma 6 is run by an ARM Cpu (not the x86 atom), the problem is with broken hardware optimization -- specifically the overflow handling on a fairly small table (2032 entry) likely built of CAM (content addressable memory) intended to accelerate external/internal mappings. That table has entries inserted when any packet arrives with a new address. Spew enough packets from enough different addresses and the table overflows -- that overflow requires (slow) processing to handle.
Disabling the accelerator caps bandwidth to ~60Mbps, and the DoS attack is mitigated.
But the fact that there is a pattern of (external) packets that *crashes* the CM indicates a potential vulnerability in the CM firmware that would allow a complete takeover of the CM OS.
That would be a global disaster.
One proposed mitigation is to use software mapping for packets from external sources and only add mappings to that small table for packets from the LAN side (not the WAN). This would probably have minimal impact for most -- capping speeds to 60Mbps on connections until a packet originating from the LAN side of things has gone through the device.
But a hostile (and clever enough) hacker may still be able to trick the device into crashing and exposing it to takeover if they can run software on both sides of the device (LAN and WAN) attacking it from both simultaneously.
The Puma 6 is a bit of a debacle -- it may very well have to be recalled.

--
Ian Ameline
1. Re:Potentially *MUCH* worse by aaarrrgggh · 2017-04-30 04:30 · Score: 1
  
  So the Puma is the dog, and even if you are just using the modem in bridge mode, the chipset is still the DOCIS modem... which might not be impacted directly by this vulnerability, but give it time?
2. Re:Potentially *MUCH* worse by Anonymous Coward · 2017-04-30 07:46 · Score: 0
  
  How in HW is this table implemented - an ASIC or a PLD? If the latter then they should be able to provide a fix.
3. Re:Potentially *MUCH* worse by ameline · 2017-04-30 10:39 · Score: 2
  
  NO This has *Nothing* to do with the gateway capabilities and everything to do with the Cable Modem part of Puma 6. I have been able to hang my Hitron CDA-3 modem (no router/gateway or WiFi in it) by spraying it. Haven't found the magic reboot pattern, but its early yet.
  
  --
  Ian Ameline
4. Re:Potentially *MUCH* worse by ameline · 2017-04-30 10:45 · Score: 1
  
  How is this table implemented? I don't know. If it is (as I suspect) CAM, it is likely hardwired (in an ASIC) for speed -- that's why you use CAM.
  If the mitigation strategy I mentioned above (or some other) is not feasible, it does not look good. In any event, because the firmware on these Modems (even when owned by the end user) are not under customer control (they can only be updated by the cable provider), it's very likely that the majority of these devices will never have their firmware updated, even if there eventually is an update to fix these problems (and this is not the only problem with Puma 6).
  In my case in particular, I use TekSavvy in Toronto -- but Rogers cable is the last mile provider, and they will not lift a finger to help an independent ISP or their customers. But they control the firmware that runs on *my* modem. There is something fundamentally wrong about that.
  
  --
  Ian Ameline
NAT in a chip? by unixisc · 2017-04-30 11:49 · Score: 1

Nonetheless, why's that built into the hardware? Given that NAT implementations in IPv4 are NOT standardized, so if something uses a different NATing mechanism, all that silicon is wasted.
Anyway, all the more reason to move to IPv6