Security Warning: 1.35 billion of ARRIS cable modems worldwide can be remotely attacked

Security Warning: 1.35 billion of ARRIS cable modems worldwide can be remotely attacked

A security vulnerability was found in the Wired modem of ARRIS SURFboard. Attackers can remotely attack about 1.35 billion of devices around the world.
Security expert David Longenecker explained that a security vulnerability exists in a very popular wired modem produced by ARRIS (formerly Motorola), affecting billions of devices. The ARRIS SB6141, which costs about $70 and features a 150 Mbit/s network speed, is widely used by American network providers.
Attackers can exploit the vulnerability in the arris surf modem to remotely attack the device and control the device for up to thirty minutes. More than 1.35 billion of devices may be affected.
Due to this cross-site Request Forgery Vulnerability, attackers can remotely restart the SURF modem without authorization. Longenecker described in his blog: "remote device restart is a simple task, even without a password. The IP address of the modem is fixed and cannot be changed. In addition, the web UI does not require authorization authentication (user name and password) to access the management interface of the web interface; therefore, in this case, remote attacks become very easy by leveraging the Cross-Site Request Forgery Vulnerability in the modem."

Vulnerability 1: unauthorized Logon
Unauthorized attackers can access the modem user interface. Local attackers can also access the administrator interface (192.168.100.1) without authorization)
"After you enter the local network, restart the modem, which makes it easy to access the service. It may take three minutes for the modem to restart. However, in these three minutes, the network cannot be connected. In addition, some activities that are more sensitive to network service interruptions (such as long downloads or remote meetings) will be affected and interrupted. "192.168.100.1/reset.htm", experts added.

This means that local attackers can reset the device. In addition, local attackers can also use social engineering to trick victims into clicking the following link to achieve their goal.
Http: // 192.168.100.1/cmConfigData.htm? BUTTON_INPUT1 = Reset + All + Defaults
The restart of the modem is a long process that may take up to half an hour, and in some ways (in some cases) it may even take ISP support to restore to normal.
Vulnerability 2: Cross-Site Request Forgery
Longenecker also found the second vulnerability, CSRF, on the SURF modem. Attackers can exploit this vulnerability to send the above commands without logging on to the user interface of the device.
"In this case, you can log on to the administrator interface and click the link to restart the device. The Command issued from the management interface cannot be identified. Commands sent from within the request cannot be identified, so there is a cross-site possibility ."
You know, the browser does not care whether the image file is a real image. In this way, it is easy to reset the modem through an image file. The POC is as follows:
Http: // 192.168.100.1/reset.htm ">
Of course, this is not a real image, and the browser does not know that it is not an image. Therefore, the browser will continue to use the modem to browse the image file, resulting in the restart of the modem.
The good news is that the vulnerability can be easily fixed. As long as the manufacturer releases some firmware updates, it can solve the issue of modulation and demodulation restart, unauthorized verification, and cross-site request forgery.
Bad messages mean that end users cannot upgrade devices independently. Therefore, this burden naturally falls on the ISP.