[HN Gopher] Arris / Arris-variant DSL/Fiber router critical vuln...
___________________________________________________________________
Arris / Arris-variant DSL/Fiber router critical vulnerability
exposure
Author : rmdoss
Score : 66 points
Date : 2022-07-30 16:26 UTC (6 hours ago)
(HTM) web link (derekabdine.com)
(TXT) w3m dump (derekabdine.com)
| RulerOf wrote:
| I read this and _instantly_ wonder if it's viable for certificate
| extraction to bypass the god-awful NAT system in AT&T's
| equipment, a-la pfatt: https://github.com/MonkWho/pfatt
|
| Edit: Ah yes, this is covered in the section "Obtaining the
| certificate via reboot & exploitation"
|
| Sadly my hardware appears to be patched.
| physhster wrote:
| You can downgrade the firmware and extract the certs:
| https://www.dupuis.xyz/bgw210-700-root-and-certs/
|
| However, AT&T added another layer of authentication in mid-2021
| that precludes the use of third-party hardware. I don't think
| that part has been cracked yet.
| former wrote:
| Monolithic network appliances, computers, endpoints, etc are
| fundamentally designed without a security-first posture.
|
| There's nothing conceptually wrong with a modem that also
| contains a NAT firewall/router/switch/(WAP). But in practice,
| even examining the hardware architecture of a consumer-grade
| router reveals fundamental design flaws in terms of the
| monolithic nature of the hardware architecture. Thus, using
| separate appliances for modem, router, switch, etc., that are
| physically separated, is still a good idea.
|
| Of course, once you pick apart the shortcomings of a global
| TCP/IP network itself, it's clear that a single pipe connected
| directly to the internet is also a horrible idea, security-wise.
| I have been asking myself of late: "Self, if we were to design
| the internet from scratch and from security-first principles, how
| would it look?" Doing so requires detaching entirely from the
| existing mess we've created. Actually building a new security-
| first internet with backwards-compatibility would be an enormous
| increase in complexity, and would put into question the viability
| of the security of trillions in investment into entrenched
| global-scale infrastructure. Thus, any attmepts to solve this
| problen -- essentially boiling the ocean(s) -- is likely to
| remain (literally) a (multi-)pipe dream.
|
| However, I am hopeful that new initiatives to build out
| 'hyperscale' and 'edge' clouds will present a genuine opportunity
| to realize the dream of a secure internet, secure networking,
| secure devices.
| trasz wrote:
| >from scratch
|
| You do realize that this is already a red flag, right? In 99%
| cases the decision to start from scratch when you already have
| something well established is a mistake.
| E2EEd wrote:
| SOP: Build "from scratch" as a superset on the existing
| legacy.
| xoa wrote:
| > _It is possible to recover the WiFi access code and SSID,
| remote administration password, SIP credentials (if VoIP is
| supported), ISP CWMP /TR-069 endpoint URLs and their username and
| password as well as other sensitive information, although some
| parts may require more complicated techniques or computing
| resources that may not be available to all attackers. Network-
| based unauthenticated exploitation is most severe if the router's
| web services (such as the administration portal) are exposed to
| the Internet, though it can also be exploited on the LAN._
|
| I just a few weeks ago got another Arris S33 modem for a client
| using cable, it's fairly well regarded. While this vulnerability
| doesn't list those, to me this further highlights how it can be
| valuable to separate out networking components vs all-in-one. The
| modem is purely a modem and talks only to the ISP. The router is
| a SuperMicro system running OPNsense, which then goes out to TP-
| Link Omada (or UniFi at another older site) gear for switching
| and WiFi. There is a network control VLAN as well as admin VLAN
| accessible only via WireGuard, which is the only way to get to
| the modem's admin page from the LAN. Controllers are self-hosted
| with network control VLANs at multiple sites again routed via WG
| to the controller.
|
| While there are other advantages as well in terms of being able
| to replace parts piecemeal for less, better coverage etc, it's
| also nice in terms of vulns in one thing doesn't necessarily mean
| everything else instantly collapses, and it's easier to have
| multiple layers. The router is still a chokepoint, but full
| opensource and standard hardware at least mean a lot of extra
| eyes and tools can be applied to it and one is never at some
| vendor's mercy for firmware updates. Modem compromise wouldn't
| affect the LAN beyond potentially messing with WAN access which
| would be noticeable fairly quickly. Default LAN users can't
| easily touch any of the infrastructure either. All while being
| transparently usable with internet of shit stuff that people want
| to utilize. Full zero-trust or a virtual overlay network might be
| better yet but starts to run into the same legacy issues that
| hound so much of the industry particularly for non-tech SoHo/SMB.
| While it's unfortunate how riddled with issues a lot of ISP
| devices have tended to be, it's pretty nice what reasonably
| priced powerful options exist for anyone with networking now
| across a huge range of skill levels. It could be much better
| still but it's not nothing.
| oasisbob wrote:
| Arris DOCSIS modems probably still have a lot of Motorola DNA
| in them since Arris's 2012 acquisition of Motorola Home.
|
| I have a box somewhere with near-identical Motorola/Arris
| surfboards other than the logo and color.
| xoa wrote:
| > _Arris DOCSIS modems probably still have a lot of Motorola
| DNA in them since Arris 's 2012 acquisition of Motorola
| Home._
|
| I would assume so, but cable modems are such an obvious major
| target that I'd be very surprised if they didn't check as
| well so the absence is notable. There may be some divergence
| due to them not being AIO devices, or requirements from the
| cable companies over the last decade. Or of course it could
| be that's still not public disclosure, but that'd be a bit
| surprising too since I'd expect any attackers to immediately
| go check every single other Arris product right away on
| seeing this.
|
| At any rate though while it's something I'll now be keeping
| an eye on I'm still satisfied that the modems are fairly well
| walled off too. It's a wild world out there, and incidents
| like this are nice to point to when management asks if it's
| worth the bit of extra trouble to have even some minimal
| separation. Just the performance benefits of having WAPs
| ideally positioned for wireless vs dictated by where the WAN
| link comes in is of course helpful as well, there are some
| real performance and coverage deliverables that everyone can
| feel in day to day usage that comes from separating out
| functionality as well. But efforts to go after network
| infrastructure itself are certainly ongoing too, it's a good
| compromise target both directly and in terms of pivoting to
| everything else. From a public good standpoint, router
| botnets are also a real hassle to the rest of the planet
| since they're used for a range of other bad activities.
| livueta wrote:
| I just dug an old sb6141 out of a parts bin and hit it with
| the POCs. Got 400s despite it running an http server of some
| sort, so not sure how broadly this affects the modem lines.
| Would definitely be nice to have more comprehensive info on
| what is affected.
| jeffbee wrote:
| Routers should not contain http servers, nor any other
| connection-oriented server that can accept. Just stop doing this.
| nykolasz wrote:
| how are the users going to manage the router without it? they
| just need to do it securely and better ways to auto update.
| jeffbee wrote:
| By inverting the direction of control, such that the network
| device initiates connections to canonical addresses to
| receive their initial configurations.
| water8 wrote:
| By canonical addresses are you referring to dns that can be
| spoofed or IP addresses that can be rerouted?
| jeroenhd wrote:
| A nice idea in theory, I'd love to manage networks devices
| using some open standard. However, I can already see what
| would happen if this were to become reality:
|
| "You wish to configure your router? For your safety, you
| can only configure our VaporWare(tm) SecuRouter with our
| dedicated Windows 11 or phone app _. Do note that any ad or
| tracking blockers might interfere with our super privacy
| preserving app (trust us, really!).
|
| _ only Android, iOS, and Windows 11 are supported. App does
| not work without Internet connectivity. Android devices
| require Google Play services. Jailbreak and root access
| will trigger our SecuRouter Secure Data Protection
| mechanism and disable access from your IP address. Privacy
| agreements and terms and conditions apply. Product may not
| be sold in areas covered by the GDPR. "
|
| In fact, I've had to deal with routers that required me to
| log in through the ISP website rather than locally because
| of "security".
| jeffbee wrote:
| You can make up whatever fallacious slippery slope
| arguments you care to invent, but such routers already
| exist and they are the best, most secure routers you can
| buy.
| netr0ute wrote:
| Those routers you can get now are only for dumb
| residential nonces, and routers for anything heavier duty
| then that all have at least a console connection
| available, even if they have a cloud management
| component.
| zinekeller wrote:
| May I ask what are those routers?
| userbinator wrote:
| A serial port? Or perhaps these days, a USB one.
| Arnavion wrote:
| For Frontier / Ziply users using an NVG448 - it's also affected.
___________________________________________________________________
(page generated 2022-07-30 23:00 UTC)