Reboot flaw leaves millions of ARRIS SURFboard modems vulnerable
Millions of ARRIS SURFboard modems are potentially vulnerable to unauthenticated remote reboots.
The bug exists in the SURFboard 6141 and SURFboard 5100 modems as a result of the devices' lack of authentication and its susceptibility to cross site request forgery attacks, according to a Security for Real People blog post penned by researcher David Longenecker.
He that the flaw makes it easy to remotely reboot a modem without even using a password.
He said an attacker can simply browse the devices' IP address from the local network to access both diagnostic data and the web user interface which includes a reboot function.
ARRIS has reportedly updated the SB6141 firmware and is in the process of making it available to service providers since cable modems aren't “consumer-updateable.”
Longenecker recommended that users not click on unexpected or untrusted links until the flaw is patched.