Verizon Fios Quantum Gateway contains three high-severity vulnerabilities (CVE-2019-3914, CVE-2019-3915, CVE-2019-3916).
which could allow command injection. When exploited at once, the flaws could give an attacker complete control over a network. Note that the device is used by millions of Verizon home customers, as it works as a wireless router and digital gateway.
The vulnerabilities were discovered by researchers at Tenable, who said that the flaws are associated with the admin password of the device:
There is a sticker on the side of the routers. Each customer is given a different Wireless network name, Wireless password, and Administrator password. These vulnerabilities are focused around the Administrator password, not the password you use to connect to the Wi-Fi. The Administrator password is there for the Verizon customer to log into the router to perform various tasks that define the network.
More about CVE-2019-3914
According to Tenable’s advisory, this flaw can be triggered by adding a firewall access control rule for a network object with a crafted hostname. The condition is that the attacker must be authenticated to the device’s administrative web application to be able to perform the command injection. In most cases, the flaw can only be exploited by attackers with local network access. Nonetheless, an internet-based attack is still possible if remote administration is enabled, and the good news is that it is disabled by default.
More about CVE-2019-3915
Because HTTPS is not enforced in the web administration interface, an attacker on the local network segment can intercept login requests with the help of a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit this vulnerability, Tenable said.
More about CVE-2019-3915
An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, an attacker can sniff a login request which contains a salted password hash (SHA-512). This would enable the attacker to carry out an offline dictionary attack to recover the original password.
What should affected users do? They should make sure that their device is updated to version 02.02.00.13. If it is not, users should contact Verizon for further assistance. It is recommended that users keep remote administration disabled, Tenable said.