[HN Gopher] Arris / Arris-variant DSL/Fiber router critical vuln... ___________________________________________________________________ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure Author : rmdoss Score : 66 points Date : 2022-07-30 16:26 UTC (6 hours ago) (HTM) web link (derekabdine.com) (TXT) w3m dump (derekabdine.com) | RulerOf wrote: | I read this and _instantly_ wonder if it's viable for certificate | extraction to bypass the god-awful NAT system in AT&T's | equipment, a-la pfatt: https://github.com/MonkWho/pfatt | | Edit: Ah yes, this is covered in the section "Obtaining the | certificate via reboot & exploitation" | | Sadly my hardware appears to be patched. | physhster wrote: | You can downgrade the firmware and extract the certs: | https://www.dupuis.xyz/bgw210-700-root-and-certs/ | | However, AT&T added another layer of authentication in mid-2021 | that precludes the use of third-party hardware. I don't think | that part has been cracked yet. | former wrote: | Monolithic network appliances, computers, endpoints, etc are | fundamentally designed without a security-first posture. | | There's nothing conceptually wrong with a modem that also | contains a NAT firewall/router/switch/(WAP). But in practice, | even examining the hardware architecture of a consumer-grade | router reveals fundamental design flaws in terms of the | monolithic nature of the hardware architecture. Thus, using | separate appliances for modem, router, switch, etc., that are | physically separated, is still a good idea. | | Of course, once you pick apart the shortcomings of a global | TCP/IP network itself, it's clear that a single pipe connected | directly to the internet is also a horrible idea, security-wise. | I have been asking myself of late: "Self, if we were to design | the internet from scratch and from security-first principles, how | would it look?" Doing so requires detaching entirely from the | existing mess we've created. Actually building a new security- | first internet with backwards-compatibility would be an enormous | increase in complexity, and would put into question the viability | of the security of trillions in investment into entrenched | global-scale infrastructure. Thus, any attmepts to solve this | problen -- essentially boiling the ocean(s) -- is likely to | remain (literally) a (multi-)pipe dream. | | However, I am hopeful that new initiatives to build out | 'hyperscale' and 'edge' clouds will present a genuine opportunity | to realize the dream of a secure internet, secure networking, | secure devices. | trasz wrote: | >from scratch | | You do realize that this is already a red flag, right? In 99% | cases the decision to start from scratch when you already have | something well established is a mistake. | E2EEd wrote: | SOP: Build "from scratch" as a superset on the existing | legacy. | xoa wrote: | > _It is possible to recover the WiFi access code and SSID, | remote administration password, SIP credentials (if VoIP is | supported), ISP CWMP /TR-069 endpoint URLs and their username and | password as well as other sensitive information, although some | parts may require more complicated techniques or computing | resources that may not be available to all attackers. Network- | based unauthenticated exploitation is most severe if the router's | web services (such as the administration portal) are exposed to | the Internet, though it can also be exploited on the LAN._ | | I just a few weeks ago got another Arris S33 modem for a client | using cable, it's fairly well regarded. While this vulnerability | doesn't list those, to me this further highlights how it can be | valuable to separate out networking components vs all-in-one. The | modem is purely a modem and talks only to the ISP. The router is | a SuperMicro system running OPNsense, which then goes out to TP- | Link Omada (or UniFi at another older site) gear for switching | and WiFi. There is a network control VLAN as well as admin VLAN | accessible only via WireGuard, which is the only way to get to | the modem's admin page from the LAN. Controllers are self-hosted | with network control VLANs at multiple sites again routed via WG | to the controller. | | While there are other advantages as well in terms of being able | to replace parts piecemeal for less, better coverage etc, it's | also nice in terms of vulns in one thing doesn't necessarily mean | everything else instantly collapses, and it's easier to have | multiple layers. The router is still a chokepoint, but full | opensource and standard hardware at least mean a lot of extra | eyes and tools can be applied to it and one is never at some | vendor's mercy for firmware updates. Modem compromise wouldn't | affect the LAN beyond potentially messing with WAN access which | would be noticeable fairly quickly. Default LAN users can't | easily touch any of the infrastructure either. All while being | transparently usable with internet of shit stuff that people want | to utilize. Full zero-trust or a virtual overlay network might be | better yet but starts to run into the same legacy issues that | hound so much of the industry particularly for non-tech SoHo/SMB. | While it's unfortunate how riddled with issues a lot of ISP | devices have tended to be, it's pretty nice what reasonably | priced powerful options exist for anyone with networking now | across a huge range of skill levels. It could be much better | still but it's not nothing. | oasisbob wrote: | Arris DOCSIS modems probably still have a lot of Motorola DNA | in them since Arris's 2012 acquisition of Motorola Home. | | I have a box somewhere with near-identical Motorola/Arris | surfboards other than the logo and color. | xoa wrote: | > _Arris DOCSIS modems probably still have a lot of Motorola | DNA in them since Arris 's 2012 acquisition of Motorola | Home._ | | I would assume so, but cable modems are such an obvious major | target that I'd be very surprised if they didn't check as | well so the absence is notable. There may be some divergence | due to them not being AIO devices, or requirements from the | cable companies over the last decade. Or of course it could | be that's still not public disclosure, but that'd be a bit | surprising too since I'd expect any attackers to immediately | go check every single other Arris product right away on | seeing this. | | At any rate though while it's something I'll now be keeping | an eye on I'm still satisfied that the modems are fairly well | walled off too. It's a wild world out there, and incidents | like this are nice to point to when management asks if it's | worth the bit of extra trouble to have even some minimal | separation. Just the performance benefits of having WAPs | ideally positioned for wireless vs dictated by where the WAN | link comes in is of course helpful as well, there are some | real performance and coverage deliverables that everyone can | feel in day to day usage that comes from separating out | functionality as well. But efforts to go after network | infrastructure itself are certainly ongoing too, it's a good | compromise target both directly and in terms of pivoting to | everything else. From a public good standpoint, router | botnets are also a real hassle to the rest of the planet | since they're used for a range of other bad activities. | livueta wrote: | I just dug an old sb6141 out of a parts bin and hit it with | the POCs. Got 400s despite it running an http server of some | sort, so not sure how broadly this affects the modem lines. | Would definitely be nice to have more comprehensive info on | what is affected. | jeffbee wrote: | Routers should not contain http servers, nor any other | connection-oriented server that can accept. Just stop doing this. | nykolasz wrote: | how are the users going to manage the router without it? they | just need to do it securely and better ways to auto update. | jeffbee wrote: | By inverting the direction of control, such that the network | device initiates connections to canonical addresses to | receive their initial configurations. | water8 wrote: | By canonical addresses are you referring to dns that can be | spoofed or IP addresses that can be rerouted? | jeroenhd wrote: | A nice idea in theory, I'd love to manage networks devices | using some open standard. However, I can already see what | would happen if this were to become reality: | | "You wish to configure your router? For your safety, you | can only configure our VaporWare(tm) SecuRouter with our | dedicated Windows 11 or phone app _. Do note that any ad or | tracking blockers might interfere with our super privacy | preserving app (trust us, really!). | | _ only Android, iOS, and Windows 11 are supported. App does | not work without Internet connectivity. Android devices | require Google Play services. Jailbreak and root access | will trigger our SecuRouter Secure Data Protection | mechanism and disable access from your IP address. Privacy | agreements and terms and conditions apply. Product may not | be sold in areas covered by the GDPR. " | | In fact, I've had to deal with routers that required me to | log in through the ISP website rather than locally because | of "security". | jeffbee wrote: | You can make up whatever fallacious slippery slope | arguments you care to invent, but such routers already | exist and they are the best, most secure routers you can | buy. | netr0ute wrote: | Those routers you can get now are only for dumb | residential nonces, and routers for anything heavier duty | then that all have at least a console connection | available, even if they have a cloud management | component. | zinekeller wrote: | May I ask what are those routers? | userbinator wrote: | A serial port? Or perhaps these days, a USB one. | Arnavion wrote: | For Frontier / Ziply users using an NVG448 - it's also affected. ___________________________________________________________________ (page generated 2022-07-30 23:00 UTC)