AT&T Uverse Modems Found To Have Several Serious Security Vulnerabilities

dustman81 writes: AT&T Uverse modems were found to have several serious vulnerabilities, including a superuser account with hardcoded username/password exposed to the internet via SSH, a HTTP server with little authentication which allows command injection, and an internet exposed service which exposes internal clients to external attacks. Information security consulting and software development firm Nomotion reports the findings in their blog: "It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem's 'cshell' client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic. Although no clear evidence was found suggesting that this module is actually being used currently, it is present, and vulnerable. Aside from the most dangerous items listed above, the cshell application is also capable of many other privileged actions. The username for this access is remotessh and the password is 5SaP9I26." The report continues to detail the other vulnerabilities: Default credentials 'caserver' https server NVG599; Command injection 'caserver' https server NVG599; Information disclosure/hardcoded credentials; and Firewall bypass no authentication.

Further reading: FierceTelecom; The Register

They need true bridge mode!!

[Joe_Dragon]

They need true bridge mode!!

Re: comcast business forces you to rent there hard

[mprindle]

The last I checked I could buy my own modem and use it on my Comcast service to avoid the rental fees. They even publish a list of approved modems.

Home
https://mydeviceinfo.xfinity.c...
Business
https://business.comcast.com/h...

Re:comcast business forces you to rent there hardw

[Billly+Gates]

As a good techie /. nerd I always buy my own modems and routers. Comcast as much as I hate them do allow third party approved modems. I bought a Motorola surfboard. It is not Docsys 3.0 and I get concerned texts every now and then but it works fine so no reason to change.

So even with an unapproved older modem it will still work. Maybe I can't download at 200 mb/s but at 100 mb/s it works fine.

Re:Trust Issues

[PolygamousRanchKid+]

And these companies are supposed to be trusted with actually securing the data that we provide them?

No, that's incorrect. A big part of their business is providing private data to security services: see Lawful Interception (LI) https://en.wikipedia.org/wiki/...

They are coerced by government agencies to do this. And just about every government passes laws requiring that ISPs and Telcos implement components that allow the security services to "just drop in" whenever they want. Usually, the government agencies are supposed to obtain warrants before tapping and sipping up someone's data, but these days . . . who's checking warrants any more . . . ?

I worked on an ISP platform for a major telco in Europe, and it was interesting to see their LI system. Even the ISP operators themselves are not able to determine who and when the government is tapping. This is done so the "enemies" can't smuggle in mole operators into the ISPs who could alert their friends outside not to talk too loud on the line.

Someone just found one of these hidden features for "special" users in AT&T.

That's all.

Actual test to verify?

[jabberw0k]

Is there an actual test to run to verify whether or not a given device has these vulnerabilities? The listed ports do not seem to be open on the ones I was able to test.

Re:comcast business forces you to rent there hardw

[TWX]

COX just broke DOCSIS below 3.0, had to change modems.

I'd really wanted to use a DOCSIS HWIC module for my Cisco router, but COX specifically said that module would not be supported on their network, and then with the 3.0+ requirement, the 2.1-capable unit isn't supported anyway.

Really wish that Google Fiber hadn't stalled. Theres a dark fiber trunk line running through the neighborhood around 200' from my house, and Google was in the habit of buying dark fiber wherever they could.