Several Cable Modem Models Affected by SNMP God Mode Flaw

Share this…

A severe security flaw in the implementation of the SNMP protocol allows an attacker to take over at least 78 cable modem models, according to a team of researchers.

The vulnerability, tracked as CVE 2017-5135 but nicknamed StringBleed, affects the Simple Network Management Protocol (SNMP), a popular protocol invented in the 80s and used for managing network-connected devices.

StringBleed is an authentication bypass in SNMP v1 and v2

Since its creation, the protocol has gone through different versions, with the most recent being SNMPv3. According to Ezequiel Fernandez and Bertin Bervis, two security researchers from Argentina and Costa Rica, respectively, there is a flaw in the authentication mechanism of SNMPv1 and SNMPv2.

While v3 comes with support for a username-password combo for the authentication system, v1 and v2 rely on a very simplistic authentication procedure that implies sending a string inside an SNMP request from an SNMP client (app) to a device’s SNMP daemon.

The device reads this string inside the SNMP request, called a “community string,” and replies to the SNMP client request, either with data or by executing an action.

Once someone authenticates on the device, they have the ability to read or write data to the system with no restrictions.

StringBleed uncovered after casual security tests

Fernandez and Bervis say that during some tests where they were trying to brute-force an SNMP connection, they’ve seen several of their test gear respond to all authentication requests, regardless of the “community string” they’ve used.

Since the test gear that was exhibiting this behavior was a Cisco DPC3928SL modem/router, they’ve reached out to the company, thinking they’ve discovered a lone bug in the Cisco firmware.

Since Cisco had passed on the servicing of those types of devices to a company called Technicolor, the researchers brought up the issue with the latter. According to the research team, the company didn’t acknowledge the flaw and blamed it on an ISP that misconfigured its equipment.

This led researchers to conduct Internet-wide scans for the purpose of identifying the exact cause of the issue. Their results revealed the flaw affected the protocol itself, as they’ve found it affecting 78 different cable modem/router models, on the networks of different ISPs across the world.

StringBleed PoC available on GitHub

Researchers released proof-of-concept code on GitHub and set up a website to document the StringBleed flaw.

They’ve also released a list of vulnerable modem models, but with no vendor names.  We filled in the hardware vendor’s name for the models we could easily identify via a Google search. We’ve also reached out to the researchers for a list complete with all vendor names.

BCW700J —> BN-Mux
BCW710J —> BN-Mux
BCW710J2 —> BN-Mux
C3000-100NAS —> Netgear
CBV734EW —> Castlenet
CGD24G-100NAS —> Netgear
CGD24G-1CHNAS —> Netgear
CM5100 —> Netgear
CM5100-511 —> Netgear
CM-6300n —> Comtrend
DCX-3200 —> Arris
DDW2600 —> Ubee
DDW2602 —> Ubee
DG950A —> Arris
DPC2100 —> Cisco
DPC2320 —> Cisco
DPC2420 —> Cisco
DPC3928SL —> Cisco
DVW2108 —> Ubee
DVW2110 —> Ubee
DVW2117 —> Ubee
DWG849 —> Thomson
DWG850-4 —> Thomson
DWG855 —> Thomson
EPC2203 —> Cisco
EPC3212 —> Cisco
SB5100 —> Motorola
SB5101 —> Motorola
SB5102 —> Motorola
SBG6580 —> Motorola
SBG900 —> Motorola
SBG901 —> Motorola
SBG941 —> Motorola
SVG1202 —> Motorola
SVG2501 —> Motorola
TC7110.AR —> Technicolor
TC7110.B —> Technicolor
TC7110.D —> Technicolor
TC7200.d1I —> Technicolor
TC7200.TH2v2 —> Technicolor
THG540 —> Thomson
THG541 —> Thomson
Tj715x —> Terayon
TM501A —> Arris
TM502B —> Arris
TM601A —> Arris
TM601B —> Arris
TM602A —> Arris
TM602B —> Arris
TM602G —> Arris
TWG850-4U —> Thomson
TWG870 —> Thomson
TWG870U —> Thomson
U10C019 —> Ubee
U10C037 —> Ubee
WTM552G —> Arris
WTM652G —> Arris
DCM-704 —> D-Link
DCM-604 —> D-Link
DG950S —> Arris