CVE-2022-31793: muhttpd web server flaw affects Arris/Arris-variant DSL/Fiber router

muhttpd (mu HTTP daemon) is a simple but complete web server written in portable ANSI C. It supports static pages, CGI scripts, MIME type-based handlers, and HTTPS. It drops privileges before accepting any connections, and it can log received requests. It has been tested on GNU/Linux, NetBSD, FreeBSD, Mac OS X, and Cygwin. It runs successfully on 32 bits and 64 bits, little-endian and big-endian systems. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models).

On July 29th, 2022, Derek Abdine, a security researcher, disclosed multiple vulnerabilities in Arris routers, the most critical being CVE-2022-31793.

The flaw tracked as CVE-2022-31793, classified as critical, is path traversal from the filesystem root. “do_request in request.c in muhttpd before 1.1.7 allows remote attackers to read arbitrary files by constructing a URL with a single character before a desired path on the filesystem,” read the MITRE website.

The security flaw was introduced with the release of muhttpd server 1.1.5 (last official release 2010). This vulnerability allows an unauthenticated remote attacker (in cases where remote administration is enabled) or any local (LAN) party to obtain:

• The contents of the md5crypt (salted/hashed) passwords in /etc/passwd, which can be passed to password cracking rigs to identify the administrator password to change configuration settings on the device. The “remote” account corresponds to the remote management password (remote administration).
• Via the device “sdb” database file located at /etc/config.cfg (requires extra steps, see the sections on deobfuscation and decryption below):
  • The SSID and plaintext password of the 2G and 5G WiFi networks broadcast by the device, and their independent on/off states.
  • The usernames and (sometimes encrypted) passwords of all administration accounts on the system. Several accounts (administrator, dslf-config) have passwords set to the device pin (printed on a sticker on the device itself).
  • ISP TR-069 / CWMP ACS and CR configuration information, including CWMP endpoint URLs, logging urls and their usernames and passwords (sometimes encrypted), per subscriber (unknown if any are shared).
  • SIP usernames (phone numbers) and passwords, including SIP endpoint URLs.
  • Port forwarding configuration information, including the external port, internal port and mac address of the device which has a port forward configuration. When combined with the LAN device list, it can enable more sophisticated targeting.
• Sensitive network information, such as established TCP connections and the router’s ARP table, and various MAC addresses, via the proc filesystem. The MAC address of the wireless networks (BSSID) can be used to geolocate these routers via wigle.net.
• Router process information can be brute forced by walking the proc filesystem
• The router serial number
• A complete list of the LAN IP address, hostname, MAC, uptime, and device characteristics such as the operating system and known applications of every device on the LAN
• Various system & firewall logs

According to the researcher, “Internet Service Providers (ISPs) around the world typically loan these routers out to their collective millions of subscribers, though only up to 19,000 have been visible on the public Internet.”

The users should update to the latest version of firmware/software provided by your vendor. It is advised to disable remote administration (typically at http(s)://192.168.1.254/)  since that limits the exploitability of the vulnerabilities to LAN attacks.