A cybersecurity researcher at Tenable has learned a number of protection vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could make it possible for remote attackers to take total control more than the afflicted routers, exposing each other unit linked to it.
At this time made use of by hundreds of thousands of shoppers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been located susceptible to 3 protection vulnerabilities, determined as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916.
The flaws in problem are authenticated command injection (with root privileges), login replay, and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to complex aspects Chris Lyne, a senior investigate engineer at Tenable, shared with The Hacker News.
Authenticated Command Injection Flaw (CVE-2019-3914)
When examining the log file on his router, Chris found that the “Access Regulate” policies in the Firewall options, obtainable in the router’s website interface, was not appropriately sanitizing the “hostname” parameter even though passing the values as section of a command to the console.
So, it turned out that injecting a destructive input as hostname can manipulate the Firewall command, ultimately permitting an attacker to execute arbitrary code on the afflicted machine.
“Discover the iptables command getting issued. Obviously, I will have to have entered tenable in in this article at some issue. That acquired me thinking… I ponder if I can inject an OS command into this,” the researcher explained in a web site publish.
“Plainly, this has to do with Obtain Management principles in the Firewall configurations. I investigated the world wide web interface to see if I could discover tenable everywhere.”
Nevertheless, it need to be mentioned that to exploit this vulnerability (CVE-2019-3914) the attacker initially needs to access the router’s world wide web interface, which by itself decreases the assault surface area unless of course the victims are not relying on the default or weak passwords.
Also, affected routers really don’t occur with distant administration enabled by default, which even further lessens the risk of Web-based mostly attacks.
“There are two attack scenarios that allow an attacker to execute instructions remotely. 1st, the insider threat would let an attacker to report the login sequence (salted hash) making use of a packet sniffer. Possibly via respectable entry (a residence visitor) or social engineering (customer guidance scam), an attacker could attain the target router’s administrator password from the sticker on the router and community IP address. They can then possibly change distant administration on, affirm it is enabled, or use the exact same social engineering ruse to have the target help it,” Chris instructed The Hacker Information in an e-mail job interview.
“Then, the attacker can exploit CVE-2019-3914 remotely, from across the world wide web, to obtain remote root shell obtain to the router’s underlying working technique. From right here, they have control of the network. They can make again doors, file sensitive web transactions, pivot to other products, and so forth.”
As proven in the movie demonstration, since the Verizon router also supports Java simply because of Embedded JVM (Java Virtual Machine), an attacker can only upload a Java-centered payload to get a reverse shell with root privileges to start even more assaults.
To execute a Java reverse shell, the attacker only desires to add and run a Java course, as the researcher reported, “I accomplished this by programming the HTTP listener to return a Base64-encoded, compiled Java course in the reaction human body. Also, the Java code was compiled for the goal JVM (Java SE 1.8).”
Login Replay And Password Salt Disclosure Flaws
Apart from aspects and online video demonstration, the researcher has also introduced the proof-of-notion exploit code for this vulnerability.
The second vulnerability, recognized as CVE-2019-3915, exists because the web administration interface of router depends on the insecure HTTP link.
It permits network-dependent attackers to intercept login requests utilizing a packet sniffer and replay them to gain admin accessibility to the web interface.
The 3rd flaw, identified as CVE-2019-3916, allows an unauthenticated attacker to retrieve the benefit of the password salt by simply going to a URL in a internet browser.
Due to the fact the router firmware does not implement HTTPS, it is doable for attackers to capture a login request containing salted password hash (SHA-512), which can then be employed to get better the plaintext password.
Tenable responsibly documented these vulnerabilities to Verizon, who acknowledged the troubles and tackled them in new firmware model 02.02.00.13, which will be applied routinely.
“On the other hand, they have [Verizon] considering the fact that advised that they are nonetheless doing work to drive automobile updates to a smaller fraction of gadgets. Users are urged to validate that their router is updated to version 02.02.00.13, and if not, get hold of Verizon for much more information and facts.”
At the time of producing, a simple Shodan lookup discovered that nearly 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with distant administration ended up obtainable on the World wide web. Nevertheless, it is unfamiliar how quite a few of them are functioning the patched firmware edition.