Some Cable Modems Found to Leak Sensitive Data Via SNMP

Cable modems sold by two manufacturers expose a wide variety of sensitive information over SNMP, including usernames and passwords, WEP keys and SSIDs. Researchers who discovered the vulnerabilities say they’re trivially exploitable and plan to release Metasploit modules for them later this month.

The broadband modems, manufactured by Netmaster and ARRIS, leak the sensitive information through the exposure of the SNMP community string. That string is a kind of password that is sent in cleartext by clients as a form of authentication. It’s a part of the original SNMP standard, and a pair of security researchers discovered that the ARRIS Touchstone and Netmaster Wireless Cable Modem use the community string and expose the sensitive information.

“By default this device was found exposing critical information via SNMP public community string. According to Shodan over 50,000 of these devices are exposing SNMP to the internet,” Tod Beardsley of Rapid& wrote in a post explaining the flaws, which were discovered by Deral Heiland and Matthew Kienow.

The same issue applies to both the ARRIS and Netmaster cable modems, and the researchers found that they expose the password, SSID, WPA pre-shared key, WEP keys and, in the case of Netmaster, the username. The two researchers who discovered the vulnerabilities plan to discuss the problems at the DerbyCon conference in late September and release a Metasploit module to exploit them, as well.

The effect of the vulnerability is that a remote, unauthenticated attacker would be able to retrieve the exposed information and presumably gain access to the affected device. The CERT/CC has issued an advisory about the issue in the ARRIS modems.