Orbi WiFi 7 RBE973
Reply

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

brycewade
Follower

Firmware upgrade for Cable Haunt vulnerability on CM1000?

With the recent announcment of the Cable Haunt vulnerability (see https://cablehaunt.com/) and the inclusion of the CM1000 modem on the list of affected devices, is there an updated firmware available to address this issue?

 

And possibly more important, how can we update the firmware of our modems?  I saw in another thread (https://community.netgear.com/t5/Cable-Modems-Routers/CM1000-firmware-updates/m-p/1655395) that we cannot do that ourselves. @DarrenM  said that "Its not Netgears fault this is apart of the docsis standard  every company that makes cable modems has to send there firmware to the ISP and have them approve the firmware and then the ISP pushes the firmware when they want to."  Like the user in that thread my ISP says I have to upgrade the firmware myself.  Can you point me to where this is in the standard so I can beat my ISP into submission with it?

Model: CM1000|Ultra-High Speed Cable Modem—DOCSIS® 3.1 Ready
Message 1 of 14
jvroom
Initiate

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Thanks for this helpful info.

 

I will add Netgear CM500 to the list of cable modems vulnerable to Cable Haunt (I have firmware V1.01.12).  If I navigate to 192.168.100.1 and login with admin/password, I get to an admin interface on the cable modem. If I navigate to 192.168.100.1:8080, I get to the problematic "spectrum" web screen that gives stats to the cable company about your modem's performance. Neither screen let's me add security and from what I understand the 8080 server allows websocket connections directly from a web-browser session.  That will allow a hacker to take over the cable router and run their own code there just by visiting a bad website, or a website with a bad advertisement.

 

I believe the right workaround for now is to block access to the admin for the cable modem from your LAN. I have an Orbi router in front and found that adding a static route for ip address: 192.168.100.1 with netmask 255.255.255.255 and metric 2 and gateway as my gateway (192.168.1.1) prevents the browser from getting to those sites now.

 

Jeff

Model: CM500|16x4 DOCSIS 3.0 Cable Modem
Message 2 of 14
dallas77us
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

@ jvroom

 

When I navigate to 192.168.100.1:8080 on my CM500, v1.01.11, I'm prompted for login credentials which I haven't yet tried to enter.  I assume the username and password are same as for the port 80 login.

 

I wonder, then, how the Cable Haunt exploit can be enabled if credentials are needed.

 

Were you prompted?  Is there a "logout" to click to get out of it?

 

Thanks!

 

 

Message 3 of 14
jvroom
Initiate

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

I was prompted only for the default port (80) and entered 'admin' and 'password'  The 8080 port (spectrum) did not ask for credentials... from the CableHaunt report, it's not secured for your 'LAN' by design, so the cable company can access that information from their systems. 

 

Jeff

Message 4 of 14
SBMongoos
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

I have the Netgear CM1150V that I bought and use with Comcast. Is this unit impacted? Not able to tell. Not yet anyway.

Message 5 of 14
FURRYe38
Guru

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Most and ALL cable modems FW comes from the cable modem Mfr. Then passes to the ISPs for there continued testing and certification. Once they certify that it works on there network, then they are the ones who push it out to the connected modems. Users will not ever see FW updates they can update themselves. Updates will always come from the ISP!!!

 

Also Some ISPs don't or won't update user owned Modems. So you'll need to ask your ISP about his. 

 

For this problem however, the chip set Mfr, i.e. Broadcom has to make the change. Then they will pass it to the cable modem Mfrs for integration. Then the process starts again with the cable modem Mfrs passing to the ISPs for testing and certifiation. 

 

Users will need to wait and be patient while the chipset Mfr review, test and fixes this problem. Broacom has made no accouncement acknowlegeding the problem that I can tell. All we can do is wait for the fix to eventually come thru. When and If it does. 

 

So don't bother trying to get anything from NG. They have to wait for the fix to come from Broadcom. 

 

I hope Broadcom processes all this faster than Intel did with the Puma issue. Took years for Intel to acknowledge the problem and come out with fixes. Smiley Frustrated

 

BE PATIENT! 

Message 6 of 14
SBMongoos
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

To answer my own question on the CM1150V I found that is uses the Broadcom BCM3390. Same as CM1000 and CM1100. Found it here: https://www.approvedmodems.com/compare-netgear-cable-modems.html

Message 7 of 14
dallas77us
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Thanks for the reply.


I should have been more specific as I meant the port 80 credentials.


I understand, then, for the modem owner, opeing this spectrum web screen to look around is otherwise harmless and...


There's a "logout" to click? Yes? No?

 

Cheers.

Message 8 of 14
FURRYe38
Guru

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

No, thats one thing we don't see on the analyzer page is a log in or log out screen. Not sure if even having a PW put on this page will prevent hackers or not. Right now, a hacker needs to be on the LAN side of the modem to do something nefarious. Hopefully Broadcom will close this hole soon. 

Message 9 of 14
Kepkep
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Broadcom actually released the patch in may of 2019.

Bottom of article in the “updates” section:
https://www.theregister.co.uk/2020/01/10/broadcom_cable_haunt_vulnerability/
Message 10 of 14
FURRYe38
Guru

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Also states:

"We also asked the researchers whether the chip slinger's fix in May last year fully addressed the discovered vulnerability. They told us:

We have heard from Broadcom that they updated their reference software around that time, and we have no reason to believe otherwise. However we do not have access to this code or the previous version. We have only been able to see the binary firmware which the manufacturers deploy, so we can not confirm it.

Due to the nature of reference software, is not necessarily easily forwarded to the manufacturers, and we have no way of knowing for sure, if a manufacturer updated with the reference software or of their own accord.

We have not been able to get any worthwhile estimates of the units actually affected worldwide, however we are getting hundreds of emails from users reporting their modem vulnerable, and are constantly updating our website with this information."

Message 11 of 14
linuxnutt
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

Just a quick question in connecting to CM500 "spectrum" web screen/page at http://192.168.100.1:8080 typically is there a default password to connect as I've changed my admin password from the unsecure user "admin" and "password" credentilas to a more secure one. Yet when I try to use the default password or my changed admin password to connect http://192.168.100.1:8080 I'm not able to connect. 

 

In addition I'll add here for Linux firewall users how to block access to your cablemodem using null routes to blackhole the 192.168.100.1 IP. I spend a long minute trying to find this solution ( 🙂 ) and its really very easy you don't need to add an iptable rule to your firewall.

My network setup: Internet--ISP--Cable Modem--Smoothwall Firewall--Internal Network. On the firewall add a null route to blackhole the cable modem ip address (192.168.100.1). Here is a reference for specific how to setup and remove details - nixcraft, "How Do I Drop or Black Attackers IP Address with Null Routes on a Linux", https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html. I've done it and the cable modem access from the internal network is blocked. This should help until Broadcom, Modem manafactures and your ISP come up with a firmware fix for Cable Haunt. If you need to reconnect to the cable modem for some reason simple remove the null route block.

 

Message 12 of 14
FURRYe38
Guru

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

I've changed the PW on my CM1100 and I can still access the analyzer page using the PW I set for the modems main web page. 


@linuxnutt wrote:

Just a quick question in connecting to CM500 "spectrum" web screen/page at http://192.168.100.1:8080 typically is there a default password to connect as I've changed my admin password from the unsecure user "admin" and "password" credentilas to a more secure one. Yet when I try to use the default password or my changed admin password to connect http://192.168.100.1:8080 I'm not able to connect. 

 

In addition I'll add here for Linux firewall users how to block access to your cablemodem using null routes to blackhole the 192.168.100.1 IP. I spend a long minute trying to find this solution ( 🙂 ) and its really very easy you don't need to add an iptable rule to your firewall.

My network setup: Internet--ISP--Cable Modem--Smoothwall Firewall--Internal Network. On the firewall add a null route to blackhole the cable modem ip address (192.168.100.1). Here is a reference for specific how to setup and remove details - nixcraft, "How Do I Drop or Black Attackers IP Address with Null Routes on a Linux", https://www.cyberciti.biz/tips/how-do-i-drop-or-block-attackers-ip-with-null-routes.html. I've done it and the cable modem access from the internal network is blocked. This should help until Broadcom, Modem manafactures and your ISP come up with a firmware fix for Cable Haunt. If you need to reconnect to the cable modem for some reason simple remove the null route block.

 


 

Message 13 of 14
geitznhof
Aspirant

Re: Firmware upgrade for Cable Haunt vulnerability on CM1000?

I tried to add an outbound service block on 192.168.100.1:8080 as a workaround for Cable Haunt but I get an error that this is an invalid address.  I don't understand how any address at 192.168.x.x is invalid.  I thought I bought a good enough router that I could apply any reasonable security option needed. I read a possible alternative is a "Blackhole" port forward but I'm pretty sure Netgear is going to block that too.  Any suggestions for this router, or do I need to make a change to Asus or Synology?

Model: R7900P|Nighthawk X6S AC3000 Tri Band WiFi Router
Message 14 of 14
Top Contributors
Discussion stats
  • 13 replies
  • 5715 views
  • 4 kudos
  • 8 in conversation
Announcements

Orbi WiFi 7