Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities

Tenable Research discovered multiple vulnerabilities in Verizon’s Fios Quantum Gateway routers.

Background

Tenable Research has discovered multiple vulnerabilities in the Verizon Fios Quantum Gateway (G1100) router. Verizon has released firmware version 02.02.00.13 to fix these vulnerabilities.

Analysis

There is a sticker on the side of the routers. Each customer is given a different Wireless network name, Wireless password, and Administrator password. These vulnerabilities are focused around the Administrator password, not the password you use to connect to the Wi-Fi. The Administrator password is there for the Verizon customer to log into the router to perform various tasks that define the network. The vulnerabilities include:

CVE-2019-3914 - Authenticated Remote Command Injection

This vulnerability can be triggered by adding a firewall access control rule for a network object with a crafted hostname. An attacker must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.

CVE-2019-3915 - Login Replay

Because HTTPS is not enforced in the web administration interface, an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.

CVE-2019-3916 - Password Salt Disclosure

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.

Impact

These routers are supplied to all new Verizon Fios customers unless they elect to use their own router, which isn’t very common. Tenable researcher Chris Lyne has outlined several potential attack scenarios for these vulnerabilities.

Scenario 1: Rebellious teen (insider threat)

CVE-2019-3915 - Login Replay

Let's assume the Verizon customer is a parent of a teenager. The teenager wants to circumvent parental controls, as teens are wont to do. Let's assume the parent is smart and has changed the Administrator password for the router. The teen can’t just use the credentials on the sticker to log into the administrative interface and change the parental controls. They have to try something else.

It's safe to say that a concerned parent would log into the router from time to time to check whether the teen has tried to flout the parental controls. Because HTTPS is not enforced in the web browser, a clever teen could perform packet sniffing and record the parent’s login. After recording the login sequence, the teen could then replay the login to gain access to the router's administrative interface (CVE-2019-3915). At this point, he or she could change the parental controls, delete evidence of misbehavior, etc.

Scenario 2: The house guest who never left (insider threat, remote attack)

CVE-2019-3914 - Authenticated Remote Command Injection

People have house guests over all the time - family members, friends, friends of friends, or maybe even AirBNB guests. Often, you'll give your guests your Wi-Fi password (WPA2 key) to allow them to use your internet connection.

So, the house guest is physically in your home and has connected to your Wi-Fi. The house guest can determine your public IP address by visiting https://www.whatismyip.com/ on their mobile device. They could also take a photo of the credential sticker on the Verizon Fios Quantum Gateway router.

Using this information, the house guest could do either of the following:

  1. Log into the router's administrative web interface to enable Remote Administration.
  2. Hope that Remote Administration is already enabled. (A Shodan.io search shows 15,323 Verizon routers with Remote Administration enabled.)

After the house guest leaves, he or she can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router's underlying operating system. From here, the house guest has control of the network. The attacker can create back doors, record sensitive internet transactions, pivot to other devices, etc.

Scenario 3: Verizon tech support social engineering (remote attack)

CVE-2019-3914 - Authenticated Remote Command Injection

Social engineering attacks aren’t just about phishing campaigns and data breaches due to untrained employees. They happen against “average” consumers all the time, too. It is entirely possible that a malicious actor would perform social engineering by masquerading as a Verizon tech support employee.

In this scenario, the attacker, posing as a customer support employee, calls a Verizon customer (victim) and pretends there is some sort of an issue with their Verizon Fios service. The attacker asks the customer for his/her Administrator password on the side of the router and to log into the router's admin web interface. At this point, the attacker could ask for the Public IP address which is conveniently displayed immediately after logging in. Also, the attacker would ask the victim to enable Remote Administration.

With this information, the attacker can exploit CVE-2019-3914 remotely, with the same outcome as Scenario 2.

Solution

Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information. It is recommended that users keep remote administration disabled.

Additional information

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.