Tag Archives: kernel mode

Cable Modems Vulnerable to Cable Haunt Vulnerabilities

=====================
TL;DR
If you are cautious with the links you click and when processing your email, you will likely not be vulnerable to these flaws. If you use a cable modem for your internet connection, you should check if your modem is vulnerable and follow the step “What should I do” mentioned below.
=====================

In mid-January it was discovered the firmware (defined) of many internet service provider (ISP) modems (specifically combined modems and routers in the same device) was vulnerable to remote takeover by attackers. These vulnerabilities have been named Cable Haunt as an easier to remember reference.

How widespread are the affected modems?
At the least the following manufacturers are affected with up to 200 million vulnerable modems mainly based in Europe but other regions e.g. North America are also affected. Please see also the FAQ “Am I Affected” on the Cable Haunt website.

Arris
COMPAL
Netgear
Sagemcom
Technicolor

Other brands of modems confirmed by the wider community as being vulnerable are:

Cisco EPC3928AD
Cisco/Technicolor DPC3216
Humax HGB10R-02
SMC Electronics SMC D3-CCR-v2
Zoom 5370
Virgin Media’s Super Hub 3 and 4 do not appear to be vulnerable.

How serious are these vulnerabilities?
While the vulnerabilities are serious in their impact, namely complete remote compromise of the device, how an attacker could exploit the vulnerabilities to achieve that outcome is not trivial. As per the researchers:

“This could be exploited by an attacker if you visit a malicious website or if they embed the code, for instance in an advert, on a trusted website. It is important to point out that this is not the only attack vector that can be employed, vulnerable mail-clients, exploited IoT devices, public networks etc. are also viable attack vectors”.

Summary of the Technical Aspects of these vulnerabilities
The vulnerability designated formally as CVE-2019-19494 is a buffer overflow (defined) that if exploited could allow remote code execution (defined: the ability for an attacker to remotely carry out any action of their choice on your device) with kernel level (defined) privileges by using JavaScript (defined) within your web browser. The buffer overflow can be exploited using (according to the researchers: “a carefully crafted message the modem can be manipulated to execute arbitrary code specified by a remote attacker”.

An important aspect of the above described exploit is that while the attack is a remote attack (using a victim’s web browser) it results in the local compromise of the modems spectrum analyser. Linked to this; a DNS re-bind attack (defined) can be used to enable an attacker the ability to access the compromised spectrum analyser. The result of the above exploits provides the attackers with (according to the researchers): “full remote control over the entire unit, and all the traffic that flows through it, while being invisible for both the user and ISP,”. This capability could be used to:

  1. Intercept private messages
  2. Redirect traffic
  3. Add the modems to botnets
  4. Replace the devices firmware
  5. Instruct the device to ignore remote system updates (which could be used to patch the vulnerabilities, complicating the resolution of a compromised device by its legitimate owner/user)

How can I protect my organisation or myself from these vulnerabilities?\
For in-depth answers from the researchers to answer this question in the context of an internet service provider (ISP), the user of the modem (e.g. within a small business), as an individual or a security researcher, please see the question “What Should I do” on the dedicated Cable Haunt website:

https://cablehaunt.com/

According to Graham Cluley: “Some ISPs in Scandinavia appear to have remotely patched the cable modems of their customers, but others have some catching up to do it seems.
If your cable modem contains a Broadcom chipset you might want to contact your ISP and ask them what they’re doing about this”.

Thank you.

=====================

My sincere thanks to the Cable Haunt researchers Alexander Dalsgaard Krog (Lyrebirds), Jens Hegner Stærmose (Lyrebirds), Kasper Kohsel Terndrup (Lyrebirds) and Simon Vandel Sillesen (Independent) as well as Graham Cluley for the excellent information which this blog post is built upon.

DoublePulsar exploit: victim devices are widespread

Last month the hacking group known as the Shadow Brokers made available a set of exploits (this appears to be their last remaining set). These exploits allegedly came from the NSA. A full list of the exploits is available here. Microsoft’s analysis of the exploits made which applies to their products and which security updates resolve them are available here.

What is DoublePulsar and how does it affect a system?
The exploit from this recently released collection which targets the Windows SMB Server component of Windows is known as DoublePulsar. It is a kernel mode (or ring zero (defined)) exploit which provides an attacker with full control over an affected system as well as providing a backdoor (defined).

It is also allows the execution of shellcode (defined) and the downloading of further malware. A complete list of it’s capabilities is available from Symantec’s analysis.

This threat is being called similar to the MS08-067 vulnerability from October 2008 which lead to widespread installation of the Conficker malware (which still persists today). That article estimates this vulnerability will be with us for many years to come. In my professional career I still see large numbers of servers and workstations not patched against the MS08-067 vulnerability even after all these years. The exploits made available by the Shadow Brokers have been made easy to use by others posting YouTube videos and documentation of how to use them. Security researchers are tracking the spread of this malware here , here and here.

How can I protect myself from this threat?
Preventing a compromise by this threat:

If your servers or workstations have Windows Server 2008 or Windows Vista (respectively) or newer installed, please install Microsoft’s security update MS17-010 as soon as possible. As a defense in-depth measure (defined)(PDF), please also consider blocking port 445 from being accessed externally (since this is unlikely to be the last SMB exploit we see).

Please note, Windows Vista systems are also no longer supported and you should consider upgrading (if you are not already in the process of doing so). Windows Server 2008 will be supported until the 13th of January 2020.

=======================
Update: 19th May 2017:
=======================
With the rapid propagation of the WannaCry ransomware, Microsoft made available the MS17-010 update for Windows XP, Windows Server 2003 and Windows 8.0. The updates for these out of support operating systems are available from Microsoft’s blog post.

Once the update is installed, if your servers or workstations have Window Server 2003 or Windows XP (respectively) installed, please block port 445 (the Windows SMB protocol port) from being accessed from an external network (as previously recommended by US-CERT and mentioned in a past blog post of mine).

In addition to blocking port 445 as mentioned above, I would also suggest the following:

If you can, segregate your vulnerable devices (including devices within your network perimeter) so they don’t expose the following ports:

  • TCP port 445 with related protocols on UDP ports 137-138
  • TCP port 139
  • Also disable SMBv1 (it’s a deprecated protocol)
  • Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

To check if your system has been compromised by Double Pulsar, you can use this tool.

Removing the threat from a compromised system:
You can remove the infection simply by shutting the system down since the malware does not persist after a reboot. You can then patch the vulnerability and block access to port 445 to prevent the malware from returning (both as mentioned above).

Thank you.