Security researchers found 5 vulnerabilities in modems from the manufacturer Arris. In this case, three vulnerabilities were backdoor accounts, one error allowed remote execution of commands and another one - bypassing firewall security settings.
Unassurable accounts at the facilities can be used by attackers to gain full access to the modem. An attacker could, for example, install his firmware and connect a modem to a botnet.
According to the Nomotion report, the flaws are found both in the standard Arris firmware and in the additional code added by the hardware manufacturers.
The researchers said that the vulnerabilities are present in the modems of the model NVG589 and NVG599. Both models are not available on the manufacturer's web site and are no longer supported. Nevertheless, according to the resources of Censys and Shodan, at least 220,000 vulnerable devices are connected to the Network.
The first backdoor is present in the modems available through the SSH protocol. Attackers can use the default login and password (remotessh / 5SaP9I26) to authenticate to any modem with root rights. The researchers stated that they identified only 15,000 Arris modems with this backdoor, that is, providers or hardware manufacturers most likely blocked external SSH access to most devices.
The second backdoor is in the modems that come with a built-in web server that launches its internal admin panel. Attackers can authenticate to port 49955 with the username "tech" and a blank password. This allows attackers to run shell commands in the context of a web server.
Another backdoor requires an attacker to know the serial number of the device. If the attacker has this information, then he can authenticate through port 61001, entering the login and password "bdctest / bdctest" This account displays information about the logs, Wi-Fi modem credentials and MAC addresses of internal nodes, researchers say..
Nomotion published instructions on its website that allow users to protect themselves from exploitation of detected vulnerabilities.