A cybersecurity researcher at Tenable has discovered multiple security vulnerabilities in Verizon Fios Quantum Gateway Wi-Fi routers that could allow remote attackers to take complete control over the affected routers, exposing every other device connected to it.
Currently used by millions of consumers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been found vulnerable to three security vulnerabilities, identified as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916.
The flaws in question are authenticated command injection (with root privileges), login replay, and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to technical details Chris Lyne, a senior research engineer at Tenable, shared with The Hacker News.
When reviewing the log file on his router, Chris noticed that the "Access Control" rules in the Firewall settings, available in the router's web interface, was not properly sanitizing the "hostname" parameter while passing the values as part of a command to the console.
So, it turned out that injecting a malicious input as hostname can manipulate the Firewall command, eventually allowing an attacker to execute arbitrary code on the affected device.
However, it should be noted that to exploit this vulnerability (CVE-2019-3914) the attacker first needs to access the router's web interface, which itself reduces the attack surface unless the victims are not relying on the default or weak passwords.
Also, affected routers don't come with remote administration enabled by default, which further reduces the threat of Internet-based attacks.
As shown in the video demonstration, since the Verizon router also supports Java because of Embedded JVM (Java Virtual Machine), an attacker can simply upload a Java-based payload to get a reverse shell with root privileges to launch further attacks.
To execute a Java reverse shell, the attacker only needs to upload and run a Java class, as the researcher said, "I accomplished this by programming the HTTP listener to return a Base64-encoded, compiled Java class in the response body. Additionally, the Java code was compiled for the target JVM (Java SE 1.8)."
Besides details and video demonstration, the researcher has also released the proof-of-concept exploit code for this vulnerability.
The second vulnerability, identified as CVE-2019-3915, exists because the web administration interface of router relies on the insecure HTTP connection.
It allows network-based attackers to intercept login requests using a packet sniffer and replay them to gain admin access to the web interface.
The third flaw, identified as CVE-2019-3916, allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.
Since the router firmware does not enforce HTTPS, it is possible for attackers to capture a login request containing salted password hash (SHA-512), which can then be used to recover the plaintext password.
Tenable responsibly reported these vulnerabilities to Verizon, who acknowledged the issues and addressed them in new firmware version 02.02.00.13, which will be applied automatically.
At the time of writing, a simple Shodan search revealed that nearly 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with remote administration were accessible on the Internet. However, it's unknown how many of them are running the patched firmware version.
Currently used by millions of consumers in the United States, Verizon Fios Quantum Gateway Wi-Fi routers have been found vulnerable to three security vulnerabilities, identified as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916.
The flaws in question are authenticated command injection (with root privileges), login replay, and password salt disclosure vulnerabilities in the Verizon Fios Quantum Gateway router (G1100), according to technical details Chris Lyne, a senior research engineer at Tenable, shared with The Hacker News.
Authenticated Command Injection Flaw (CVE-2019-3914)
When reviewing the log file on his router, Chris noticed that the "Access Control" rules in the Firewall settings, available in the router's web interface, was not properly sanitizing the "hostname" parameter while passing the values as part of a command to the console.
So, it turned out that injecting a malicious input as hostname can manipulate the Firewall command, eventually allowing an attacker to execute arbitrary code on the affected device.
"Notice the iptables command being issued. Clearly, I must have entered tenable [keyword] in here at some point. That got me thinking… I wonder if I can inject an OS command into this," the researcher said in a blog post.
"Clearly, this has to do with Access Control rules in the Firewall settings. I investigated the web interface to see if I could find tenable anywhere."
However, it should be noted that to exploit this vulnerability (CVE-2019-3914) the attacker first needs to access the router's web interface, which itself reduces the attack surface unless the victims are not relying on the default or weak passwords.
Also, affected routers don't come with remote administration enabled by default, which further reduces the threat of Internet-based attacks.
"There are two attack scenarios that enable an attacker to execute commands remotely. First, the insider threat would allow an attacker to record the login sequence (salted hash) using a packet sniffer. Either through legitimate access (a house guest) or social engineering (customer support scam), an attacker could obtain the target router's administrator password from the sticker on the router and public IP address. They can then either turn remote administration on, confirm it is enabled, or use the same social engineering ruse to have the victim enable it," Chris told The Hacker News in an email interview.
"Then, the attacker can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router's underlying operating system. From here, they have control of the network. They can create back doors, record sensitive internet transactions, pivot to other devices, etc."
As shown in the video demonstration, since the Verizon router also supports Java because of Embedded JVM (Java Virtual Machine), an attacker can simply upload a Java-based payload to get a reverse shell with root privileges to launch further attacks.
To execute a Java reverse shell, the attacker only needs to upload and run a Java class, as the researcher said, "I accomplished this by programming the HTTP listener to return a Base64-encoded, compiled Java class in the response body. Additionally, the Java code was compiled for the target JVM (Java SE 1.8)."
Login Replay And Password Salt Disclosure Flaws
Besides details and video demonstration, the researcher has also released the proof-of-concept exploit code for this vulnerability.
The second vulnerability, identified as CVE-2019-3915, exists because the web administration interface of router relies on the insecure HTTP connection.
It allows network-based attackers to intercept login requests using a packet sniffer and replay them to gain admin access to the web interface.
The third flaw, identified as CVE-2019-3916, allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.
Since the router firmware does not enforce HTTPS, it is possible for attackers to capture a login request containing salted password hash (SHA-512), which can then be used to recover the plaintext password.
Tenable responsibly reported these vulnerabilities to Verizon, who acknowledged the issues and addressed them in new firmware version 02.02.00.13, which will be applied automatically.
"However, they've [Verizon] since advised that they are still working to push auto updates to a small fraction of devices. Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information."
At the time of writing, a simple Shodan search revealed that nearly 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with remote administration were accessible on the Internet. However, it's unknown how many of them are running the patched firmware version.