Unpatched ABD gateways and routers are vulnerable to three high-risk vulnerabilities

The SEC Vulnerability Advisory Lab pointed out in a notice released last week that the Epicentro-based broadband gateways and routers manufactured by Advanced Digital Broadcast (ABD) are vulnerable to three security vulnerabilities, CVE-2018-13108. Effects of CVE-2018-13109 and CVE-2018-13110.

These three vulnerabilities are described as local root jailbreak vulnerabilities, privilege bypass vulnerabilities, and privilege escalation vulnerabilities. Their severity rated as “critical”. Successful exploitation allows attackers to gain access to vulnerable devices. Full control permission

Johannes Greil of the SEC Vulnerability Consulting Lab reported that by exploiting the local root jailbreak vulnerability CVE-2018-13108 on unpatched ABD gateways and routers, attackers can gain full control over vulnerable devices, enabling them to Modify settings, retrieve all stored user credentials, and launch an attack on the internal network side of the Internet provider (ISP).

Greil explained that a flaw in network file sharing caused the vulnerability. The Network File Sharing feature on ADB broadband devices can access via the network protocol Samba for USB devices, and an attacker can abuse the Samba daemon and access the USB port with the highest access rights, then export the network share with root privileges.

CVE-2018-13109 is essentially an authorization bypass vulnerability that an attacker can use to gain access to a device setting that the user is denied access to. It’s worth noting that this exploit can also remotely access by manipulating settings, allowing the telnet server to access remote access when the ISP previously disabled it remotely. However, this attack scenario was confirmed to require some user account login information to be implemented.

CVE-2018-13110 is a privilege elevation vulnerability implemented through Linux group operations that allow an attacker to access the device’s command line interface (CLI) even if the ISP has previously disabled the CLI. Depending on the capabilities provided by the CLI, it is possible for an attacker to gain access to the entire configuration and to escalate permissions to the highest level of access by manipulating the settings of the web GUI.

According to the announcement of the SEC Vulnerability Consulting Laboratory, the product types affected by the vulnerability include ADB P.RG AV4202N, ADB DV 2210, ADB VV 5522 and ADB VV 2220. From the ADB website, the affected products may consist of the EVDSL/G.Fast/Fiber Gateway Dual-band WirelessAC1600 ST6840 and the GPON Gateway Dual-band Wireless AC1600 VG4820 based on the Epicentro platform.

According to relevant information, ADB produces routers and modems for more than 20 broadband and communications companies worldwide, and Cox Communication and Charter Communications, the third largest Internet service providers in North America, appear to be their customers. Currently, Cox and Charter have not responded to how many users may be affected.

The three vulnerabilities first discovered in June 2016, and the patch for vulnerabilities launched in July 2017. After two years, the SEC Vulnerability Consulting Lab finally decided to disclose the details of the vulnerability last week publicly.

Source: seclists