Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CableTap/doc/advisories/bastille-31.stb-remote-webui.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
53 lines (23 sloc)
1.34 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bastille Tracking Number 31 | |
| CVE-2017-9488 | |
| Overview | |
| A vulnerability has been discovered that enables an attacker to remotely log into a target gateway using hardcoded credentials. | |
| Affected Platforms: | |
| Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST | |
| Cisco DPC3941T, firmware version DPC3941_2.5s3_PROD_sey | |
| Proof-of-Concept | |
| Comcast residential gateways expose the web UI to incoming connections on the wan0 interface. On the wan0 interface, the web UI can be accessed with either hardcoded or generated credentials. | |
| There are two barriers which prevent attackers from accessing this web UI: | |
| 1) The IPv6 address of the wan0 interface on a target gateway must be known. | |
| 2) The wan0 interface cannot be accessed from the public internet. | |
| The IPv6 address can be obtained from the CM MAC (Bastille Tracking Number 30). | |
| Test Environment: | |
| Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST | |
| Cisco DPC3941T, firmware version DPC3941_2.5s3_PROD_sey | |
| Mitigation | |
| There is no apparent mechanism to allow Comcast customers to control or change this behavior. | |
| Recommended Remediation | |
| Move to certificate-based authentication, and restrict customer gateway wan0 access so that it cannot be accessed via the Send To TV web browser feature. | |
| Credits | |
| Marc Newlin and Logan Lamb, Bastille | |
| Chris Grayson, Web Sight.IO |