Security Architecture, Endpoint/Device Security, IoT, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Cable Haunt RCE vulnerability exposes millions of modems to exploitation

Researchers have disclosed the discovery of a critical remote code execution vulnerability in millions of Broadcom cable modems, including about 200 million in Europe alone.

Named Cable Haunt, the flaw consists of a combination of "lack of proper authorization of the web-socket client, default credentials and a programming error in the spectrum analyzer" component of the modems, according to a web site and technical paper published by the four researchers.

The same bug wound up in so many different models of modem because the error actually originated in popular reference software that numerous modem manufacturers copied when coding their own firmware. Unfortunately, this also makes it difficult to pinpoint the precise number of affected brands and models.

Attackers can reportedly exploit the web socket flaw to remotely access an endpoint on the modem that serves the spectrum analyzer. They can then use javascript code running in the browser to trigger a buffer overflow, which allows them to execute arbitrary code at the kernel level. At that point, the malicious actors would be capable of a wide range of nefarious activity, including changing the default DNS server and reconfiguring other key settings, conducting man-in-the-middle attacks to intercept private messages, redirecting traffic, and recruiting the modem into a botnet.

According to the researchers' web page, Cable Haunt "can give an attacker full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP and able to ignore remote system updates."

Credit for the discovery goes to Alexander Krog, Jens Stærmose and Kasper Terndrup of the Danish cybersecurity firm Lyrebirds ApS, and independent Danish researcher Simon Sillesen. The primary vulnerability is designated CVE-2019-19494, while a second similar vulnerability, CVE-2019-19495 applies only to a DNS rebinding flaw found in the web interface of the Technicolor TC7230 STEB 01.25 cable modem.

A full inventory of modems that are confirmed to be affected is available on the Cable Haunt web page. These include the Arris Durfboard SB8200, Arris Surfboard CM8200A, Arris Surfboard SB6183, Cisco EPC3928AD, COMPAL 7284E, COMPAL 7486E, Human HGB10R-02, Netgear C6250EMR, Netgear CG3700EMR, Netgear CM 1000, Netgear CM600, Sagemcom F@st 3890, Sagemcom F@st 3686, Technicolor TC7230, Technicolor TC4400, Technicolor 7300 and Technicolor TC7200.

The researchers said they contacted as many of the modem manufacturers as they could in advance of publicly disclosing the issue, as well as ISP companies that distribute the modems. "Some of the contacted ISPs have informed us that they have or are rolling out firmware updates; however, we are still missing updates from several," the researchers said on the website. Additionally, the researchers have developed a proof-of-concept exploit and a script that tests whether a user's modem is vulnerable.

Broadcom also said in a statement that it has taken steps to address the issue: "We have made the relevant fix to the reference code and this fix was made available to customers in May 2019," the company noted.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.