HackDig : Dig high-quality web security articles for hacker

More SNMP Information Leaks: CVE-2014-4862 and CVE-2014-4863

2014-08-22 10:10

Today, Rapid7 would like to disclose a pair of newly discovered vulnerabilities around consumer and SOHO-grade cable modems, the Arris DOCSIS 3.0 (aka, Touchstone cable modems) and Netmaster Wireless Cable Modems. Both exposures were discovered by Rapid7's Deral Percent_X Heiland and independent researcher Matthew Kienow. The duo plan to discuss these and other common vulnerabilities and configuration issues at DerbyCon near the end of September. In the meantime, let's explore each of these issues in turn.

 

R7-2014-13: Arris DOCSIS Exposure (CVE-2014-4863)

Affected Devices

ARRIS DOCSIS 3.0 /  Touchstone Wideband Gateway. These devices can be fingerprinted as:

 

HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.131; MODEL: DG950A.

 

The devices are manufactured by ARRIS, Information about the company can be found on their website, and the technical specifications of the affected device can be found here (PDF).

 

Vulnerability Description

 

By default this device was found exposing critical information via SNMP public community string. According to Shodan over 50,000 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information:

 

---PASSWORD

1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

 

---SSID

1.3.6.1.4.1.4115.1.20.1.1.3.22.1.2.12

 

---WPA PSK

1.3.6.1.4.1.4115.1.20.1.1.3.26.1.2.12

 

---WEP

 

WEP 64-bit Network Keys

    Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.1

    Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.2

    Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.3

    Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.24.1.2.12.4

 

 

WEP 128-bit Network Keys

    Key 1: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.1

    Key 2: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.2

    Key 3: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.3

    Key 4: 1.3.6.1.4.1.4115.1.20.1.1.3.25.1.2.12.4

 

Disclosure Timeline

 

DateDescription
June 5, 2014 (Thu)Issue discovered and advisory written
June 20, 2014 (Fri)Vendor contact details sought
July 9, 2014 (Mon)Issue disclosed to CERT/CC
August 15, 2014 (Fri)CVE assigned by CERT/CC
August 21, 2014 (Thu)Details published

 

 

R7-2014-14: Netmaster Wireless Cable Modem Exposure (CVE-2014-4862)

 

Affected Devices

Netmaster Wireless Cable Modem. These devices can be fingerprinted as:

 

HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.3.1; SW_REV: 81.447.392110.729.024; MODEL: CBW700N

 

The devices are manufactured by Netmaster, Information about the company can be found on their website (Turkish), and these devices are primarily in use in Turkey.

 

Vulnerability Description

By default this device was found exposing critical information via SNMP public community string. According to Shodan 258,638 of these devices are exposing SNMP to the internet. This brand device has been found to be leaking the following wifi configured information.

 

----Username

1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0

 

----Password

1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

 

----SSID

1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32

 

---WPA PSK

1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32

 

---WEP

 

WEP 64-bit Network Keys

        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1

        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2

        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3

        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4

 

 

WEP 128-bit Network Keys

        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1

        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2

        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3

        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4

 

 

Disclosure Timeline

 

DateDescription
June 5, 2014 (Thu)Issue discovered and advisory written
June 20, 2014 (Fri)Vendor contact details sought
July 9, 2014 (Mon)Issue disclosed to CERT/CC
August 15, 2014 (Fri)CVE assigned by CERT/CC
August 21, 2014 (Thu)Details published

 

Exploit / Module Availability

Deral and Matthew intend to make Metasploit modules available to exercise these vulnerabilities near or during Derbycon in late September. In the meantime, these issues can be trivially exercised with common SNMP query tools, such as snmpwalk and the like. If you'd like to race the original researchers in producing modules specific to these issues, you are welcome to open a Pull Request for the Metasploit Framework over on GitHub.

 

Comments


Try Metasploit Today

Free Penetration Testing Solution Download

Download Now

Filter Blog

By date:
By tag:


Source: 02-evc-skael-noitamrofni-pmns-erom/12/80/4102/golb/tiolpsatem/ytinummoc/moc.7dipar.ytinummoc

Read:2939 | Comments:0 | Tags:arris netmaster snmp derbycon

“More SNMP Information Leaks: CVE-2014-4862 and CVE-2014-4863”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Random Articles

Tag Cloud