ARRIS SURFboard 6141 Modem Denial Of Service
Posted on 30 November -0001
<HTML><HEAD><TITLE>ARRIS SURFboard 6141 Modem Denial Of Service</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems, with the latest firmware deployed by Time Warner Cable, have a LAN-side web UI with a fixed IP address, that does not require authentication, and a cross site request forgery vulnerability through which it is possible to reboot the modem with one click. It is also possible to factory reset the modem with a simple unauthenticated URL. This causes a longer outage while the modem renegotiates with the ISP - which can in certain cases even require calling the ISP to initiate the reactivation. The vendor describes the SB6141 as the "#1 selling modem," with over 135 million units sold. However, MITRE informed me that this product line is current not in scope for CVE assignment, so there is no CVE identifier for these vulnerabilities. The following proof of concept website includes the reboot command as the src attribute to an img tag. As such, VISITING THIS POC LINK WILL REBOOT THE LOCAL CABLE MODEM: http://RebootMyModem.net Caveats: this flaw affects the consumer-oriented, LAN-side administrative interface, which only supplies diagnostic data and logs, along with reboot and factory reset functions. This is NOT the ISP-oriented, WAN-side interface. This has been demonstrated on a SURFboard 6141 modem running SB_KOMODO-1.0.6.14-SCM01-NOSH, the current firmware deployed to Time Warner Cable customers. Other models and other ISPs may or may not have the same design flaw. Details, screen shots of the UI as it is intended to be used, suggested iptables rules to limit exposure, and a complete disclosure timeline are at the following link (without exploitation): http://www.securityforrealpeople.com/rebootmymodem Regards, David Longenecker Connect: Blog <http://securityforrealpeople.com/> | @dnlongen <https://www.twitter.com/dnlongen> | LinkedIn <https://www.linkedin.com/in/dnlongen/> PGP key: https://keybase.io/dnlongen</BODY></HTML>