Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Information Exposure via SNMP on ARRIS / Motorola SBG6580 Cable Modem Gateway

From: Inokii Security Advisory <advisory () inokii com>
Date: Sat, 17 May 2014 16:34:58 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

========================================
Inokii Security Advisory

Inokii-ID: 2014-01
========================================

Affected Product:
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway

Severity Rating:
Important

Impact:
Username and password for the user interface as well as wireless network keys
can be disclosed through SNMP.

Description:
The SBG6580 Cable Modem Gateway product specifications include SNMP v2 & v3
under Network Management. The management information bases (MIBs) of various
device subsystems on the SBG6580 allows local network users to discover user
interface credentials and wireless network key values through simple SNMP
requests for the value of these variables. Given the security authentication
in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community "public".

The issue was confirmed in software version SBG6580-6.5.0.0-GA-00-226-NOSH.

Object Identifiers (OIDs):
1. Cable Modem Gateway User Interface
    a. Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
    b. Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

2. Primary Wireless Network
    a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
    b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
    c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.32
    d. WEP 64-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4
    e. WEP 128-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4

3. Guest Wireless Network
    a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
    b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.33
    c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.33
    d. WEP 64-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.4
    e. WEP 128-bit Network Keys
        * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.1
        * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.2
        * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.3
        * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.4

A Metasploit Framework module, sbg6580_enum.rb, was created to demonstrate
the information exposure. The module can be found under Inokii's fork of
the Metasploit Framework. https://github.com/inokii/metasploit-framework

Disclosure Timeline:
2014-04-01 Issue reported to vendor
2014-04-10 Contacted vendor to verify advisory was received
2014-04-15 Vendor acknowledged that the disclosure was reviewed
           and expected to have a response shortly.
2014-05-17 Public Disclosure

Acknowledgments:
Researched by Matthew Kienow of Inokii.

Reference:
http://www.arrisi.com/modems/datasheet/SBG6580/SBG6580_UserGuide.pdf

Contact:
Inokii is a group of security professionals working together on information
security testing, research and training.
Email: advisory () inokii com
Web: http://www.inokii.com


Disclaimer:
Inokii is not responsible for misuse of the information provided in our
security advisories. The advisories are a service to the professional security
community. The information provided in this advisory is provided "as is" without
warranty of any kind. Inokii disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Inokii be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Inokii have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTdXBWAAoJENNOLT+D8g74stsQALftSJDhiDUA8lCJl4ifHv45
8iXwGbf+xV7iw5cpkHJ9iwvtDoXlTN4TJWWaF5oX7N+jCqAAUKBC6YfNwDo+ulP2
/vUJOhlItsRQujpuMqqYYvQ2Iqh7WMetie40kvvZXCmnPlMqP9pGCp6ldEenHbNb
QoUvQCekupdAZLjVrgvv2kTE/TYLOp0wtKnkUsS7TSA9il2ufz72Oaa+9HGx2A+m
lEZdtZ0KHO/4ksyLuZ/VF3RgFzlOor0ASeOHXjpxYvdO7lGHIDigZ2GammhA/rM8
2GNVBzCuCOjBXS1t9fHCq6CtU8o4b+V7/EfhaLpQy9R7Tzzx9PRIN6dTbJxe64c/
BT304QIsEBwsfCVCS+4BOJyBW2LqHVizTgQIetzWx+kQ7e820z3sGOmTyoSdXqo1
n8Mze26jDVnerTUO5tVdL5GJqsqmmOqXiLm019MWmi2U5e+gJ96DXBzT40SuE9Me
y/fPxOBEYExJNsSkOvja2Kug9/Flv9zMM7e7uUSQ4ooQAkyt5yg4g9MiMBjLlAGE
4ROLOPjQRiUa5toiqjbdWLkm/L73xoVXy8Y/e0wJtx7ikwUcazDyvbEpoXYtFXaI
pOZstUHkFSPpoVo1JA6mVtg3amghq1XKp1ZfwcxeIdS3y35R/47Xz2SALOuhzEkP
zNAL/k+vN7fmQ/d3YrAe
=LoIt
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: