============================= ===========
Inokii Security Advisory
Inokii-ID: 2014-01
============================== ==========
Affected Product:
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway
Severity Rating:
Important
Impact:
Username and password for the user interface as well as wireless network keys
can be disclosed through SNMP.
Description:
The SBG6580 Cable Modem Gateway product specifications include SNMP v2 & v3
under Network Management. The management information bases (MIBs) of various
device subsystems on the SBG6580 allows local network users to discover user
interface credentials and wireless network key values through simple SNMP
requests for the value of these variables. Given the security authentication
in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community "public".
The issue was confirmed in software version SBG6580-6.5.0.0-GA-00-226- NOSH.
Object Identifiers (OIDs):
1. Cable Modem Gateway User Interface
a. Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1. 1.0
b. Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1. 2.0
2. Primary Wireless Network
a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4. 1.14.1.3.32
b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.4.1.2.32
c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.1.1.3.32
d. WEP 64-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.32.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.32.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.32.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.32.4
e. WEP 128-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.32.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.32.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.32.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.32.4
3. Guest Wireless Network
a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4. 1.14.1.3.33
b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.4.1.2.33
c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.1.1.3.33
d. WEP 64-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.33.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.33.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.33.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.2.1.2.33.4
e. WEP 128-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.33.1
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.33.2
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.33.3
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4. 2.3.1.2.33.4
A Metasploit Framework module, sbg6580_enum.rb, was created to demonstrate
the information exposure. The module can be found under Inokii's fork of
the Metasploit Framework. https://github.com/inokii/ metasploit-framework
Disclosure Timeline:
2014-04-01 Issue reported to vendor
2014-04-10 Contacted vendor to verify advisory was received
2014-04-15 Vendor acknowledged that the disclosure was reviewed
and expected to have a response shortly.
2014-05-17 Public Disclosure
Acknowledgments:
Researched by Matthew Kienow of Inokii.
Reference:
http://www.arrisi.com/modems/ datasheet/SBG6580/SBG6580_ UserGuide.pdf
Contact:
Inokii is a group of security professionals working together on information
security testing, research and training.
Email: advisory@inokii.com
Web: http://www.inokii.com
Disclaimer:
Inokii is not responsible for misuse of the information provided in our
security advisories. The advisories are a service to the professional security
community. The information provided in this advisory is provided "as is" without
warranty of any kind. Inokii disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Inokii be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Inokii have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.
Inokii Security Advisory
Inokii-ID: 2014-01
==============================
Affected Product:
ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway
Severity Rating:
Important
Impact:
Username and password for the user interface as well as wireless network keys
can be disclosed through SNMP.
Description:
The SBG6580 Cable Modem Gateway product specifications include SNMP v2 & v3
under Network Management. The management information bases (MIBs) of various
device subsystems on the SBG6580 allows local network users to discover user
interface credentials and wireless network key values through simple SNMP
requests for the value of these variables. Given the security authentication
in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community "public".
The issue was confirmed in software version SBG6580-6.5.0.0-GA-00-226-
Object Identifiers (OIDs):
1. Cable Modem Gateway User Interface
a. Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.
b. Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.
2. Primary Wireless Network
a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.
b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
d. WEP 64-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
e. WEP 128-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
3. Guest Wireless Network
a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.
b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
d. WEP 64-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
e. WEP 128-bit Network Keys
* Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
* Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.
A Metasploit Framework module, sbg6580_enum.rb, was created to demonstrate
the information exposure. The module can be found under Inokii's fork of
the Metasploit Framework. https://github.com/inokii/
Disclosure Timeline:
2014-04-01 Issue reported to vendor
2014-04-10 Contacted vendor to verify advisory was received
2014-04-15 Vendor acknowledged that the disclosure was reviewed
and expected to have a response shortly.
2014-05-17 Public Disclosure
Acknowledgments:
Researched by Matthew Kienow of Inokii.
Reference:
http://www.arrisi.com/modems/
Contact:
Inokii is a group of security professionals working together on information
security testing, research and training.
Email: advisory@inokii.com
Web: http://www.inokii.com
Disclaimer:
Inokii is not responsible for misuse of the information provided in our
security advisories. The advisories are a service to the professional security
community. The information provided in this advisory is provided "as is" without
warranty of any kind. Inokii disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Inokii be liable for any damages
whatsoever including direct, indirect, incidental, consequential, loss of
business profits or special damages, even if Inokii have been advised of the
possibility of such damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.