Numerous Cable Modems Affected by Major Network Management Vulnerability
A major weakness in Simple Network Management Protocol (SNMP) implementation is putting hundreds of thousands of internet-connected devices — cable modems in particular — at risk throughout the world, recent research shows.
Security researchers Ezequiel Fernandez and Bertin Bervis discovered a way to bypass SNMP authentication on at least 78 models of cable modems offered by internet service providers (ISPs) and designed by 19 manufacturers, including Cisco, Motorola, Technicolor, D-Link and Thomson, according to CSO.
Fernandez and Bervis initially reported the network management vulnerability to Technicolor and were told the issue “was the result of an access misconfiguration by a single ISP in Mexico rather than a problem with the device itself,” CSO reported. The manufacturer’s explanation provoked the two researchers to conduct an internet-wide scan, which helped them discover the cause of the flaw.
Nicknamed StringBleed and tracked as CVE 2017-5135, this “incorrect access control vulnerability” allows remote configuration changes on numerous devices, creating a potentially serious security issue.
“SNMP is used for automated network device identification, monitoring and remote configuration. It is supported and enabled by default in many devices, including servers, printers, networking hubs, switches and routers,” CSO explained.
The researchers found that the problem resides in the SNMP protocol, a human-readable string data-type value that SNMP versions 1 and 2 use.
“The SNMP version 1 and 2 authentication should only accept the value stored in the SNMP agent authentication mechanism,” the researchers pointed out.
However, their research indicated certain devices from various vendors accept any value string or integer, which could expose both read and write access to configuration data. Fernandez and Bervis felt the primary problem could be found in the SNMP implementation used by modems and isn’t the result of misconfiguration by ISPs, according to CSO.
To lessen security risks, customers can take certain actions. For instance, besides asking the ISP for another device or installing a new modem, you can use an online port scanner to determine if a potentially vulnerable unit responds to SNMP requests over its public IP address, CSO suggested. Moreover, if SNMP is open, customers can resort to other SNMP server tools to determine if public strings are in use.