A new critical security vulnerability that affects cable modems using Broadcom chips was just discovered. Dubbed Cable Haunt and identified as CVE-2019-19494, the vulnerability puts at risk some 200 million cable modems in Europe alone, the researchers who discovered it said.
Cable Haunt Vulnerability (CVE-2019-19494) Explained
The Cable Hunt security flaw was discovered by Lyrebirds ApS, a team of Danish researchers, who released a white paper detailing the critical issue, and also created a dedicated web page with information.
According to the official CVE-2019-19494 description provided by the researchers, the critical vulnerability is present in cable modems from various international manufacturers. Shortly said, the flaw enables remote attackers to execute arbitrary code on the modem, indirectly through an endpoint on the model. Since a modem is in charge of the internet traffic for all devices on the network, Cable Haunt can be exploited to intercept private communications, redirect traffic, or add the device to a botnet.
Furthermore, the vulnerable endpoint is not only exposed to the local network but can also be reached remote due to improper websocket usage, the researchers explained. A buffer overflow attack can be carried out to gain control of the vulnerable modem.
Where does the Cable Haunt vulnerability (CVE-2019-19494) stem from?
The vulnerability is a result of an issue in a standard component of Broadcom chips known as a spectrum analyzer. A spectrum analyzer is a software and hardware component meant to protect the model from signal surges and disturbances that may come from the coax cable. In fact, this component is deployed by ISPs to debug connection quality.
The issue comes from the fact that the Broadcom chip spectrum analyzer doesn’t have proper protection against DNS rebinding attacks. Furthermore, it also uses default credentials and its firmware contains a programming error.
By luring users into visiting a malicious page through the browser, attackers can leverage the browser to carry out an exploit of the faulty spectrum analyzed. The result would be command execution on the device. In a nutshell, the Cable Hunt vulnerability could be exploited to perform the following malicious activities:
- Changing the default DNS server;
- Carrying out man-in-the-middle attacks;
- Hot-swapping code or the entire firmware;
- Covertly tweaking the firmware by using hot code swapping;
- Disabling ISP firmware upgrade;
- Altering every config file and settings;
- Getting and setting SNMP OID values;
- Changing serial numbers;
- Adding the device to a botnet.
Who is at risk?
The researchers believe that at least 200 million cable models in Europe alone. However, this number is an estimate as the vulnerability originated in reference software copied by different cable modem manufacturers. Because of this, the exact spread of the vulnerability can’t be measured.
The researchers have contacted as many of the largest ISPs and manufacturers as they could “ahead of time”, to give them time to fix the issue, but with “varying success”.
Some of the contacted ISPs told the researchers that they have or are rolling out firmware updates. However, others haven’t implemented updates, and some even said they didn’t want to be acknowledged on the dedicated website.
The dedicated website also features the full technical report detailing the Cable Haunt vulnerability.
In April 2019, Broadcom WiFi chipset drivers were found vulnerable to a series of flaws (CVE-2019-9503, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502). The vulnerabilities affected multiple operating systems and could allow remote attackers to perform arbitrary code execution resulting in denial-of-service condition.