Researchers have discovered five critical vulnerabilities in Ubee EVW3226, a VoIP cable modem router used by operators across Europe, which can be exploited to compromise the device.
“An attacker with root access to such a device can enable attacks on connected networks, such as administrative networks managed by the ISP or other cable modem users,” Manuel Hofer from the SEC Consult Vulnerability Lab pointed out in an advisory released last week.
They have been sitting on this information since January 2016, and disclosed it now even though Ubee Interactive has been dragging its feet and still hasn’t pushed out a patch.
The disclosure details the five flaws as follows:
- Missing authentication for configuration download
- Plaintext storage of administrative password
- “Encrypted” configuration backup not actually encrypted
- Authenticated arbitrary file upload leading to arbitrary command execution
- Heap-based buffer overflow vulnerability in URL decoding.
They affect version 1.0.20 of the firmware.
According to Hofer, Ubee told them in late February that the first four have been fixed, but a patch for the fifth was still in the works. That was the last information they managed to get from Ubee.
UPC Austria, the largest cable television operator in the country, which uses the device the researchers tested, told them last week that they are in close contact with the manufacturer and are working together on a solution to the problems caused by the factory.
“The update will be implemented some time in June following successful testing,” they added, and noted that they’ve been swapping customers’ older modems for new-generation ones in the last two years.
“Vulnerabilities described in this security advisory might be exploited in
combination with other vulnerabilities not associated with this product (XSS in
web forums accessing the modem, malvertising, etc.),” the researchers pointed out.
They recommended that the device is not used by anyone until a thorough security review has been performed by security professionals and all identified issues have been resolved.
“Network security should not depend on the security of independent devices, such as cable modems,” they noted with obvious annoyance, but still held firm to responsible disclosure principles and refrained from releasing PoC attack code until the fix is made available and is (hopefully) widely implemented.