A severe security flaw in the implementation of the SNMP protocol allows an attacker to take over at least 58 cable modem models, according to a team of researchers.
The vulnerability, tracked as CVE 2017-5135 but nicknamed StringBleed, affects the Simple Network Management Protocol (SNMP), a popular protocol invented in the 80s and used for managing network-connected devices.
StringBleed is an authentication bypass in SNMP v1 and v2
Since its creation, the protocol has gone through different versions, with the most recent being SNMPv3. According to Ezequiel Fernandez and Bertin Bervis, two security researchers from Argentina and Costa Rica, respectively, there is a flaw in the authentication mechanism of SNMPv1 and SNMPv2.
While v3 comes with support for a username-password combo for the authentication system, v1 and v2 rely on a very simplistic authentication procedure that implies sending a string inside an SNMP request from an SNMP client (app) to a device’s SNMP daemon.
The device reads this string inside the SNMP request, called a “community string,” and replies to the SNMP client request, either with data or by executing an action.
Once someone authenticates on the device, they have the ability to read or write data to the system with no restrictions.
StringBleed uncovered after casual security tests
Fernandez and Bervis say that during some tests where they were trying to brute-force an SNMP connection, they’ve seen several of their test gear respond to all authentication requests, regardless of the “community string” they’ve used.
Since the test gear that was exhibiting this behavior was a Cisco DPC3928SL modem/router, they’ve reached out to the company, thinking they’ve discovered a lone bug in the Cisco firmware.
Since Cisco had passed on the servicing of those types of devices to a company called Technicolor, the researchers brought up the issue with the latter. According to the research team, the company didn’t acknowledge the flaw and blamed it on an ISP that misconfigured its equipment.
This led researchers to conduct Internet-wide scans for the purpose of identifying the exact cause of the issue. Their results revealed the flaw affected the protocol itself, as they’ve found it affecting 58 different cable modem/router models, on the networks of different ISPs across the world.
StringBleed PoC available on GitHub
Researchers released proof-of-concept code on GitHub and set up a website to document the StringBleed flaw. After contacting Bervis, Bleeping Computer obtained a list of vulnerable modem models.
"DIONIS 6.00 [#1508:12326] rel.6 s.p.9",
"DCM-604 < < HW_REV: C1; VENDOR: D-Link; BOOTR: 2.3.0; SW_REV: DCM604_C1_ViaCabo_1.04_20130606; MODEL: DCM-604> >",
"Technicolor CableHome Gateway < < HW_REV: 2.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STC8.62.02; MODEL: TC7110.B> >",
"MNG6200 < < HW_REV: 1.01; VENDOR: NETWAVE Networks, Inc.; BOOTR: 2.4.0alpha14; SW_REV: C4835805jrc18FU040815.cpr; MODEL: MNG6200> >",
"ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.23; SW_REV: 6.4.54T.SIP; MODEL: TM602G> >",
"Ubee PacketCable 1.5 W-EMTA < < HW_REV: 3.10.1; VENDOR: Ubee; BOOTR: 9.1.1b; SW_REV: 6.31.2005; MODEL: DVW2117> >",
"Skyworth DOCSIS 3.0 Wireless CableModem < < HW_REV: 1.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.5; MODEL: CM5100-511>",
"COMTREND CORPORATION; ADSL Termination Unit",
"ARRIS DOCSIS 2.0 / PacketCable 1.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.24; SW_REV: 6.4.56; MODEL: TM602G> >",
"Linux lootom 2.6.30.9 #5 Fri Jul 4 01:08:19 PDT 2014 rlx",
"ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.23; SW_REV: 6.4.54.SIP; MODEL: TM602G> >",
"BCW710J < < HW_REV: 1.01; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.5; MODEL: BCW710J> >",
"Netgear Wireless Cable Modem Gateway < < HW_REV: V1.0; VENDOR: Netgear; BOOTR: 2.1.7k; SW_REV: V4.4.8R073-RG; MODEL: CGD24G-100NAS> >",
"Thomson CableHome Gateway < < HW_REV: 1.0; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: STC0.01.16; MODEL: DWG849> >",
"Thomson CableHome Gateway < < HW_REV: 2.1; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST9C.05.23; MODEL: DWG850-4> >",
"$Telindus 1423$ SHDSL-2P 2ETH-4P T2863/02600 21/03/14 15:21",
"Thomson Wireless PacketCable Gateway E-MTA < < HW_REV: 1.1; VENDOR: Thomson; BOOTR: 2.3.0; SW_REV: STB3.01.75; MODEL: TWG870U> >",
"ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 02; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.23; SW_REV: 6.1.129.SIP; MODEL: WTM652G> >",
"ARRIS Euro-DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 02; VENDOR: Arris Interactive, L.L.C.; BOOTR: 5.01; SW_REV: 6.1.110.EURO.SIP; MODEL: TM502B> >",
"Wireless G ADSL Gateway",
"ARRIS Euro-DOCSIS 2.0 / Euro-PacketCable 1.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.23; SW_REV: 6.4.56.EURO; MODEL: TM602B> >",
"CBW700N < < HW_REV: 1.0; VENDOR: TEKNOTEL; BOOTR: 2.3.1; SW_REV: 81.447.392110.729.024; MODEL: CBW700N> >",
"MNG6200 < < HW_REV: 1.01; VENDOR: NETWAVE Networks, Inc.; BOOTR: 2.4.0alpha14; SW_REV: C4835805jrc16FU063014.cpr; MODEL: MNG6200> >",
"Kaonmedia design < < HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.5.0beta1_v6.0; SW_REV: v5.12.0; MODEL: VM1700D> >",
"Netwave Docsis 3.0 Cable Modem MNG6300 < < HW_REV: 2.0; VENDOR: Net&Sys; BOOTR: 2.4.0; SW_REV: 5.83.6305jrc15; MODEL: MNG6300> >",
"BCW710J2 < < HW_REV: 1.30; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.11; MODEL: BCW710J2> >",
"< < HW_REV: 1; VENDOR: Motorola Corporation; BOOTR: 2.2.0; SW_REV: SBG941-2.11.0.0-GA-07-624-NOSH; MODEL: SBG941> >",
"Skyworth DOCSIS 3.0 Wireless CableModem < < HW_REV: 1.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.25; MODEL: CM5100-511>",
"iNovo IB-8120-W21 < < HW_REV: 1.0; VENDOR: iNovo Broadband; BOOTR: 2.3.1; SW_REV: 139.4410mp1.004200.002; MODEL: IB-8120-W21> >",
"Ambit Wireless CableModem < < HW_REV: 4.10; VENDOR: Ambit; BOOTR: 2.1.6d; SW_REV: 5.66.1026; MODEL: U10C019> >",
"< < HW_REV: 1; VENDOR: Motorola Corporation; BOOTR: 2.1.7l; SW_REV: SVG2501-2.10.1.1-GA-00-581-LTSH; MODEL: SVG2501> >",
"Skyworth DOCSIS 3.0 Wireless CableModem < < HW_REV: 1.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.6; MODEL: CM5100-511>",
"Cisco DPC3928SL DOCSIS 3.0 1-PORT Voice Gateway < < HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: D3928SL-PSIP-13-A010-c3420r55105-160428a; MODEL: DPC3928SL> >",
"ucd-snmp-4.1.2/Red Hat eCos",
"Skyworth DOCSIS 3.0 Wireless CableModem < < HW_REV: 1.1; VENDOR: Skyworth; BOOTR: 2.4.0mp1; SW_REV: 4.1.0.11; MODEL: CM5100-511>",
"BCW710J < < HW_REV: 1.01; VENDOR: Bnmux; BOOTR: 2.4.0alpha14; SW_REV: 5.30.6a; MODEL: BCW710J> >",
"CBW383G4J < < HW_REV: 1.01; VENDOR: CastleNet; BOOTR: 2.4.0alpha14; SW_REV: 37.556mp5.010; MODEL: CBW383G4J> >",
"BFC cablemodem reference design < < HW_REV: 01.00; VENDOR: Technicolor; BOOTR: 2.4.0.r2; SW_REV: SC05.00.20; MODEL: TC7200.TH2v2> >",
"VxWorks SNMPv1/v2c Agent",
"Skyworth DOCSIS 3.0 Cable Modem < < HW_REV: V2.1; VENDOR: Skyworth; BOOTR: 2.4.0beta3; SW_REV: V0.00.05; MODEL: CM5100> >",
"ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.24; SW_REV: 6.4.56.SIP; MODEL: TM602G> >",
"BFC cablemodem reference design < < HW_REV: 01.00; VENDOR: Technicolor; BOOTR: 2.5.0alpha8; SW_REV: SC05.00.20; MODEL: TC7200.TH2v2> >",
"Cisco DPC3928SL DOCSIS 3.0 1-PORT Voice Gateway < < HW_REV: 1.0; VENDOR: Cisco; BOOTR: 2.4.0; SW_REV: D3928SL-P15-13-A386-c3420r55105-160127a; MODEL: DPC3928SL> >",
"ARRIS DOCSIS 3.0 / Touchstone Wideband Gateway < < HW_REV: 3; VENDOR: Arris Interactive, L.L.C.; BOOTR: 2.3.1; SW_REV: 7.10.141; MODEL: DG950A> >",
"Netgear Wireless Cable Modem Gateway < < HW_REV: V1.0; VENDOR: Netgear; BOOTR: 2.1.7l; SW_REV: V4.4.6R04.1-RG; MODEL: CGD24G-1CHNAS> >",
"Technicolor CableHome Gateway < < HW_REV: 2.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STC7.05.18; MODEL: TC7110.B> >",
"BFC cablemodem reference design < < HW_REV: 01.00; VENDOR: Technicolor; BOOTR: 2.5.0alpha8.r1; SW_REV: SC05.00.20; MODEL: TC7200.TH2v2> >",
"Thomson CableHome Gateway < < HW_REV: 2.1; VENDOR: Thomson; BOOTR: 2.1.7i; SW_REV: ST9C.05.25; MODEL: DWG850-4> >",
"ARRIS DOCSIS 2.0 / SIP 2.0 Touchstone Telephony Modem < < HW_REV: 04; VENDOR: Arris Interactive, L.L.C.; BOOTR: 6.23; SW_REV: 6.1.95.SIP; MODEL: TM602G> >",
"Linux Soligate 2.4.18_mvl30 #32 Mon Aug 31 14:44:08 KST 2009 armv5teb",
"Kaonmedia design < < HW_REV: v1.0; VENDOR: Kaonmedia; BOOTR: 2.5.0beta1_v6.0; SW_REV: v5.14.0; MODEL: VM1700D> >",
"MNG6200 < < HW_REV: 1.01; VENDOR: NETWAVE Networks, Inc.; BOOTR: 2.4.0alpha14; SW_REV: C4835805jrc12FU121413.cpr; MODEL: MNG6200> >",
"Technicolor CableHome Gateway < < HW_REV: 2.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STC7.05.21; MODEL: TC7110.B> >",
"Technicolor TC7200.d1I Wireless Gateway < < HW_REV: 1.0; VENDOR: Technicolor; BOOTR: 2.4.0; SW_REV: TC7200.d1IE-N23E-c7000r5712-161129-HAT; MODEL: TC7200.d1I>",
"Technicolor CableHome Gateway < < HW_REV: 2.0; VENDOR: Technicolor; BOOTR: 2.3.1; SW_REV: STC7.05.14; MODEL: TC7110.B> >",
"Ethernet/Wireless Cable Modem/Router < < HW_REV: A0; VENDOR: Zoom Telephonics, Inc.; BOOTR: 2.4.0alpha14; SW_REV: v5.5.8.6Y; MODEL: 5352> >",
"BCW700J < < HW_REV: 1.0; VENDOR: Bnmux; BOOTR: 2.3.0; SW_REV: 5.20.5; MODEL: BCW700J> >",
"CBW383G4J < < HW_REV: 1.01; VENDOR: CastleNet; BOOTR: 2.4.0beta3; SW_REV: 37.556mp5.010; MODEL: CBW383G4J> >"
via www.bleepingcomputer.com