Cable Haunt Security vulnerabilty select modems

[L&LD]

https://www.tomshardware.com/news/cable-haunt-security-vulnerability-affected-modems

Something to check if any of these devices (or similar) are on your network(s).

Even if there is 'nothing that can be done' right now. (I would replace the modem).

 

[Trip]

Ouch.. the "Other Affected Modems" list has the two of the main Docsis 3.1 choices right now: the SB8200 and CM1000. Major impact there...

 

[Uluqat]

The comments in the Ars Technica article seem to suggest that something can be done, for at least some of those with routers separate from modems: blocking the modem IP address at the router. I shall quote one of the Ars Technica article comments by a user named TwoChoices:

For mitigation, blocking via firewall rules didn't appear to work on my ASUS router. It still happily routed to my modem in bridge mode.

The only thing I could get to work was enable and define a static route. That prevents any internal client from being able to access the modem's config page and all pings to the modem return destination unreachable. Switching the static route toggle allows access to the modem config page if needed.

On ASUS routers, it's LAN page, route tab

Network: Modem IP (ex. 192.168.0.1, 10.0.0.1, etc)
Netmask: 255.255.255.255
Gateway: Router LAN IP

 

[RMerlin]

Apparently this issue is not trivial to exploit, so personally I wouldn't worry too much for now, until it has proven to be exploited in the wild.

Also, ISPs often push personalized configs which may disable certain features. In my case, the TC4400 port 8080 is not reachable, so my own modem seems to be fine despite being listed on their table.

 

[Paliv]

https://www.tomshardware.com/news/cable-haunt-security-vulnerability-affected-modems

Something to check if any of these devices (or similar) are on your network(s).

Even if there is 'nothing that can be done' right now. (I would replace the modem).

I was just in the process of posting this. They seem unsure if this exploit even works behind a secondary router. Seems to depend on the router and ISP config for the modem. I have a SB6183, so of course they just tell you to replace it...not jumping that gun quite yet. Also it requires an exploit to occur on a device on the lan side, which may reduce risk for average users not in targeted attacks for the moment.

 

[L&LD]

@Paliv that is not what the article states.

According to the researchers, hackers could exploit Cable Haunt to "intercept private messages, redirect traffic, or [participate] in botnets." It turns out the vulnerability itself is exposed to a local network, but due to "improper WebSocket usage" it can be remotely exploited, even though it should have been limited to localized attacks.

 

[Paliv]

@Paliv that is not what the article states.

Sorry, I guess I misunderstood. It seemed to me that a local client had to be exploited by a malicious connection in the browser first to give access to the modem to a remote attacker.

 

[Wallace_n_Gromit]

https://cablehaunt.com/

On "Security Now" Episode 749 with Leo Laporte and Steve Gibson they mentioned an extensive Cable Modem vulnerability affecting 200 Million European Cable Modems (and by extension 100's of millions more around the world).

EDIT: https://twit.tv/shows/security-now/episodes/749?autostart=false (discussion of Cable Haunt begins at 01:35:44 into the podcast)
https://www.grc.com/sn/SN-749-Notes.pdf

This involves a "Spectrum Analyzer" feature common to many modems typically at 192.168.100.1:8080 for many modem models.

There is a firmware fix that has to be pushed to your Modem via the ISP/WAN. (Many ISP's don't like/allow you to update firmware yourself, they said)

Steve's temporary mitigation is to have your firewall/router restrict LAN access to your cable modem address where the "Spectrum Analyzer" feature is accessed.

How do you do that with Asuswrt-Merlin firmware?

 

[ColinTaylor]

Block it with the Network Services Filter.

 

[Wallace_n_Gromit]

I have never used the Advanced Settings > Firewall > Network Services Filter before.

I have tried to post the default "before" and the changed "After" screen shot. I used to be able to screenshot a *.jpg image using firefox. Can't figure out how since the latest firefox update doesn't allow a *jpg option.
=====================================================

Enable Network Services Filter. <Yes>
Filter table type. <Black List>
Well-Known Applications. <User Defined>
Date to Enable LAN to WAN Filter. <all Days of Week are checked>
Time of Day to Enable LAN to WAN Filter. <00:00-23:59>
Filtered ICMP packet types. <Blank>

The Network Services Filter Table (Max Limit : 128)
Source IP >>Port Range >>Destination IP >>Port Range >>Protocol
blank>>blank 192.168.100.1>>8080 TCP
blank>>blank 192.168.100.1>>8080 UDP

The TCP protocol list shows multiple TCP items: SYN,ACK,FIN,RST,URG,PSH. Should they all be listed?

 

[ColinTaylor]

The TCP protocol list shows multiple TCP items: SYN,ACK,FIN,RST,URG,PSH. Should they all be listed?

That depends on how this exploit is meant to work. I suspect that only TCP is necessary.

 

[RMerlin]

Just because your modem is on the list does not mean you are vulnerable. For instance, my ISP pushes a configuration that closes port 8080 on my own TC4400.

 

[ironclad]

Edit: Thread got merged so this needs context. This is for Asus routers with Merlin firmware.

/jffs/scripts/firewall-start example

#!/bin/sh
iptables -I FORWARD -d 192.168.100.1 -j DROP

Run this to undo the rule if you're in a hurry

iptables -D FORWARD -d 192.168.100.1 -j DROP

Should be doing this even if your model isn't vulnerable...

 

[walgarch]

I thought cable haunt only required a malicious javascript file, using websockets, to run in browser. Since the malicious code is run on a LAN connected computer, if the cable modem has an IP address, it can infect the modem.

If I'm wrong, please correct me

I applied the ASUS mitigation, thanks @Ulugat

 

[EmeraldDeer]

It appears that Comcast made changes to my SB8200 overnight.

The software version remains the same SB8200.0200.174F.311915.NSH.RT.NA. Yesterday I could get to the spectrum analyzer at http://192.168.100.1:8080/ but today I cannot.

Resetting the cable modem due to docsDevResetNow
TLV-11 - Illegal Set operation failed
Config File Rejected due to Invalid or Unexpected TLV 11 encoding

Perhaps the first attempt failed but a second attempt succeeded without generating a log entry.

 

[RMerlin]

It appears that Comcast made changes to my SB8200 overnight.

The software version remains the same SB8200.0200.174F.311915.NSH.RT.NA. Yesterday I could get to the spectrum analyzer at http://192.168.100.1:8080/ but today I cannot.

Resetting the cable modem due to docsDevResetNow
TLV-11 - Illegal Set operation failed
Config File Rejected due to Invalid or Unexpected TLV 11 encoding

Perhaps the first attempt failed but a second attempt succeeded without generating a log entry.

That was quite a fast turnaround from your ISP if that's really the case. Kudos to them.

 

[Wallace_n_Gromit]

/jffs/scripts/firewall-start example

Run this to undo the rule if you're in a hurry

Should be doing this even if your model isn't vulnerable...

iptables -I FORWARD -d 192.168.100.1 -j DROP

When I nano /jffs/scripts/firewall-start I see a preexisting "skynet" line
Should that iptables rule be added before or after the preexisting "skynet" line? (or does it matter)

I also added a Note: "# mitigate Cable Haunt vulnerability -- undo rule: iptables -D FORWARD -d 192.168.100.1 -j DROP" as a future reminder.

 

[Wallace_n_Gromit]

Just because your modem is on the list does not mean you are vulnerable. For instance, my ISP pushes a configuration that closes port 8080 on my own TC4400.

I've been on the phone with my ISP (WaveCable) internet tech rep for over 42 minutes.

She wasn't aware of Cable Haunt at her level, but took my information and promised to bubble it up and have someone contact me. She did warn me that since I bought my own modem (not leased from them) that future firmware updates may not be offered to me.

She didn't seem to think that doing my own firmware updates (if I find one) would effect the modems usability on their network.

EDIT: Assuming that I can't get a straight answer, I wonder if there is a source for information on non-broadcom chip cable modems. I think T.I. (Texas Instruments?) chipped modems had been mentioned as an alternative.

2nd EDIT: Last time I looked my factory firmware version on my Modem was V1.01.05 . After doing some searching online found that latest version available for my Modem model was V1.01.12. Guess I will have to do a direct connect (bypassing the router) from a computer to my modem and find out what firmware version I am running currently. I have to bypass the router because it's buggy whether I can access the Modem at all otherwise. Typical directions when you access your modem is to have a direct wired connection.

3rd EDIT: Yes, still at V1.01.05 on my CM500, dang! behind the router I can't access the modem or Spectrum Analyzer. Remove the router, and I can access both. The modem ask for my password, the Spectrum Analyzer does not. If my ISP won't or can't update I think it's time to change/update Modem... BUT if the ISP don't push updates, that would be pointless.

 

[ironclad]

When I nano /jffs/scripts/firewall-start I see a preexisting "skynet" line
Should that iptables rule be added before or after the preexisting "skynet" line? (or does it matter)

No idea what your config is so I can't tell. Order does matter but you can check if the rule works by visiting that IP in your browser. If nobody on your network can access the modem then this particular exploit won't work.

She wasn't aware of Cable Haunt at her level, but took my information and promised to bubble it up and have someone contact me. She did warn me that since I bought my own modem (not leased from them) that future firmware updates may not be offered to me.

She was telling you very politely that you're never getting firmware updates from them. Modems are locked down due to how DOCSIS works and the fact that you can bring your own is due to an FCC ruling. If your ISP doesn't support the model you use you just don't get updates.

If you have a friend whose ISP supports your model you can plug it in momentarily and wait for it to update. Barring that maybe someone will teach us how to flash updates using the exploit someday.

I ran the exploit code against my Arris SB6183. Never got a working shell, the PoC code would just hang my modem until I power cycled it. Which is a vulnerability on its own, but I would've loved to have a shell. It was listed as exploitable on the website so clearly it's just me not knowing how to troubleshoot the code until it works.

 

[XIII]

I do get a web page on 192.168.100.1, but none of the default username/passwords from the script work.

(and I have no clue which one would...)