NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

brycewade's avatar
brycewade
Follower
Jan 13, 2020

Firmware upgrade for Cable Haunt vulnerability on CM1000?

With the recent announcment of the Cable Haunt vulnerability (see https://cablehaunt.com/) and the inclusion of the CM1000 modem on the list of affected devices, is there an updated firmware availabl...
jvroom's avatar
jvroom
Initiate
Jan 13, 2020

Thanks for this helpful info.

 

I will add Netgear CM500 to the list of cable modems vulnerable to Cable Haunt (I have firmware V1.01.12).  If I navigate to 192.168.100.1 and login with admin/password, I get to an admin interface on the cable modem. If I navigate to 192.168.100.1:8080, I get to the problematic "spectrum" web screen that gives stats to the cable company about your modem's performance. Neither screen let's me add security and from what I understand the 8080 server allows websocket connections directly from a web-browser session.  That will allow a hacker to take over the cable router and run their own code there just by visiting a bad website, or a website with a bad advertisement.

 

I believe the right workaround for now is to block access to the admin for the cable modem from your LAN. I have an Orbi router in front and found that adding a static route for ip address: 192.168.100.1 with netmask 255.255.255.255 and metric 2 and gateway as my gateway (192.168.1.1) prevents the browser from getting to those sites now.

 

Jeff

dallas77us's avatar
dallas77us
Aspirant
Jan 13, 2020

@ jvroom

 

When I navigate to 192.168.100.1:8080 on my CM500, v1.01.11, I'm prompted for login credentials which I haven't yet tried to enter.  I assume the username and password are same as for the port 80 login.

 

I wonder, then, how the Cable Haunt exploit can be enabled if credentials are needed.

 

Were you prompted?  Is there a "logout" to click to get out of it?

 

Thanks!

 

 

  • jvroom's avatar
    jvroom
    Initiate
    Jan 13, 2020

    I was prompted only for the default port (80) and entered 'admin' and 'password'  The 8080 port (spectrum) did not ask for credentials... from the CableHaunt report, it's not secured for your 'LAN' by design, so the cable company can access that information from their systems. 

     

    Jeff

    • dallas77us's avatar
      dallas77us
      Aspirant
      Jan 14, 2020

      Thanks for the reply.


      I should have been more specific as I meant the port 80 credentials.


      I understand, then, for the modem owner, opeing this spectrum web screen to look around is otherwise harmless and...


      There's a "logout" to click? Yes? No?

       

      Cheers.

      • FURRYe38's avatar
        FURRYe38
        Guru - Experienced User
        Jan 14, 2020

        No, thats one thing we don't see on the analyzer page is a log in or log out screen. Not sure if even having a PW put on this page will prevent hackers or not. Right now, a hacker needs to be on the LAN side of the modem to do something nefarious. Hopefully Broadcom will close this hole soon.