Hardcoded Credentials Expose Customers of AT&T U-VerseSeptember 1, 2017 – 6:30 PM
On August 31, 2017, Nomotion released five vulnerabilities for two Arris modems used by AT&T U-Verse customers in the US. The vulnerabilities are of the following types:
- Hardcoded Credentials (CWE-798)
- Information Exposure (CWE-200)
- Authenticated Command Injection (CWE-78)
- Firewall Bypass (CWE-653)
The hardcoded credentials give attackers access to the device via SSH or HTTP/HTTPS. On certain devices, when logged into the modem, the attacker can then leverage the authenticated command injection vulnerabilities to get a root shell. This vulnerability is especially bad for users whose devices are exposed to the internet.
The firewall bypass vulnerability is particularly worrisome. After successfully gathering the list of hosts behind the firewall using the port 61001 information exposure, an unauthenticated remote attacker can then connect to any device behind the firewall by using the firewall bypass. Effectively opening the internal network to attack.