/
bastille-27.ipv6-cm-mac-leak.txt
52 lines (23 loc) · 1.47 KB
/
bastille-27.ipv6-cm-mac-leak.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Bastille Tracking Number 27
CVE-2017-9484
Overview
A vulnerability has been discovered that enables an attacker to discover the CM MAC of a Comcast customer's gateway by sniffing Wi-Fi traffic on the channel the gateway is operating on.
Affected Platforms
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Proof-of-Concept
Every ~4 seconds, the gateway transmits a 156 byte 802.11 IPv6 multicast packet, with the source address set to the MAC address of the l2sd0.500 network interface on the gateway. This was observed to differ from the CM MAC, which is not normally known, as follows:
11:22:33:44:55:66 - l2sd0.500
0F:22:33:44:55:63 - CM MAC
As illustrated above, the CM MAC can be found by subtracting two bytes from the first octet, and three bytes from the last octet of the l2sd0.500 interface MAC address.
Once an attacker has the CM MAC, they can proceed to generate the SSID for the hidden home security network on the target gateway.
Test Environment
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421733-160420a-CMCST
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Mitigation
There is no apparent mechanism to allow Comcast customers to control or change this behavior.
Recommended Remediation
Configure the gateway so that it does not leak the CM MAC.
Credits
Marc Newlin and Logan Lamb, Bastille
Chris Grayson, Web Sight.IO