Multiple models of ARRIS cable modems contain multiple, deterministically generated backdoor passwords, as well as multiple cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities.
CWE-255: Credentials Management - CVE-2009-5149
The 'password of the day' for multiple models of ARRIS cable modems is generated using a publicly known algorithm. A remote attacker with knowledge of the algorithm, the date, and the seed can gain technician access to the device.
The following firmware versions were reported as being vulnerable:
Additional models and firmware versions may also be affected.
Shodan search results show that many devices are accessible on the public Internet through telnet, SSH, or web management. An attacker with access to the web management interface and the technician password or SNMP can enable telnet and SSH.
Logging as technician using the 'password of the day' provides a restricted mini_cli shell. This shell can be can be escaped to a full BusyBox shell; logging in using the hard-coded password provides the BusyBox shell.
It has been reported that these vulnerabilities, particularly the hard-coded passwords, are currently being exploited. For additional details, refer to the researcher's disclosure.
An attacker with access to the web management interface and knowledge of the password-generation algorithm and seed may be able to gain technician or administrative access to devices. A remote attacker may also perform actions with the same permissions of a victim user, or execute arbitrary scripts in the context of the user's browser.
The CERT/CC is currently unaware of a practical solution to this problem.
Change 'password of the day' seed
Thanks to Bernardo Rodrigues for reporting this vulnerability.
This document was written by Garret Wassermann.