Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CableTap/doc/advisories/bastille-40.ethernet-snmp.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
45 lines (18 sloc)
1.09 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bastille Tracking Number 40 | |
| CVE-2017-9496 | |
| Overview | |
| A vulnerability has been discovered that enables an attacker to access an SNMP server running on the Motorola MX011ANM. | |
| Affected Platforms | |
| Motorola MX011ANM, firmware version MX011AN_2.9p6s1_PROD_sey | |
| Proof-of-Concept | |
| The Motorola MX011ANM includes an Ethernet port, which upon first glance appears to be inactive. Assuming a similar addressing scheme to the wireless gateways, which use a clustered range of MAC addresses and IPv6 addresses based on the MAC addresses, we were able to guess the link local IPv6 address of the Ethernet port. | |
| We then discovered that an SNMP server running on the set-top box can be accessed by addressing the link-local IPv6 address of the Ethernet port. | |
| Test Environment | |
| Motorola MX011ANM, firmware version MX011AN_2.9p6s1_PROD_sey | |
| Mitigation | |
| There is no apparent mechanism to allow Comcast customers to change this behavior. | |
| Recommended Remediation | |
| Patch the arbitrary file read vulnerability we used to learn the community string. | |
| Credits | |
| Marc Newlin and Logan Lamb, Bastille | |
| Chris Grayson, Web Sight.IO |