Security researcher Yerodin Richards has found an authenticated remote code execution (RCE) vulnerability in Arris routers. This is the type of router that ISPs typically provide in loan for customers’ telephony and internet access.
After responsible disclosure Richards has published a Proof-of-Concept (PoC) that demonstrates how he, ironically used the verification against itself.
The Arris Router Firmware version 9.1.103 authenticated RCE exploit has been tested against the TG2482A, TG2492, and SBG10 models, devices that can be commonly found in the Caribbean and Latin America, says Richards.
According to Richards, when he contacted Arris (acquired by CommScope), the company said the devices running the vulnerable firmware are end-of-life (EOL) and are no longer supported by the company. This means that they are unlikely to ever get updated, even though the SBG10 is actively listed on its website.
An authenticated RCE means an attacker would need login credentials in order to exploit the vulnerability. However, it's likely that a majority of users haven't changed their default router credentials, because it is too complicated or they simply are not told clear enough that this is a necessary step in the setup process. So once an attacker knows the default credentials, they can happily exploit the vulnerability.
“It is also worth noting that there is no https setting to secure credentials in transit. I think this makes it a perfect target for botnets like Mirai that gained success using default credentials, and more experienced attackers may have more clever ways to circumvent this.”
How to protect yourself
Since we do not expect the vendor or the ISPs to patch this vulnerability, we asked the researcher for his advice.
“As for mitigation, an easy and effective way is to simply use a strong password, but still this does not stop an attacker from eavesdropping on the unprotected traffic containing the password or even manipulating the browser to gain access. A more desirable form of mitigation would be to change the firmware completely but as you said providers are lax about pushing updates and there is no easy way for an end user to do this themselves. They could run the exploit to gain a root shell and try to patch it from there but this is by no means a simple solution.”
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. This vulnerability will be listed under CVE-2022-45701.
While testing options to achieve shell script command injection, the researcher found that
$ is accepted. That was promising, but when paired into
$( it was neutralized. This implies that the developer was intentionally trying to prevent command injection this way. However, there is still a flaw in the verification. If any of the disallowed characters or
$( is in the object, the object is not set and keeps its previous value. But, in the case of
\ it is simply removed from the payload subsequent to verification. This allows us to set
$() by inputting
$\(). This could have easily been prevented by also neutralizing
With this knowledge Richards was able to add a netcat reverse tcp shellcode and get a shell.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.