Critical ADB router, modem firmware vulnerabilities finally fixed

Patches for three bugs impacting Advanced Digital Broadcast broadband equipment have now been released.

A set of critical vulnerabilities in Advanced Digital Broadcast (ADB) broadband equipment have now all received patches close to two years after being reported.

Geneva, Switzerland-based ADB develops video, broadband, and Internet of Things (IoT) solutions, including set-top boxes and broadband gateways. The company has sold over 60 million devices worldwide.

The vulnerabilities, first reported by SEC Consult Vulnerability Lab close to two years ago, impact a range of firmware versions. Impacted firmware versions include ADB P.RG AV4202N - E_3.3.0, ADB DV 2210 - E_5.3.0, ADB VV 5522 - E_8.3.0, and ADB VV 2220 - E_9.0.6; however, the risk of compromise depending on connected ISPs.

It is believed a wide range of equipment is affected.

"It has been confirmed by ADB that _all_ their ADB modems / gateways / routers based on the Epicentro platform with USB ports and network file sharing features are affected by these vulnerabilities in all firmware versions for all their customers (ISPs) at the time of identification of the vulnerability," the researchers said in their advisories.

However, some of the reported vulnerabilities will not impact devices when custom UIs have been developed specifically for ISPs.

The first vulnerability, CVE-2018-13108, is a local root jailbreak vulnerability.

The majority of ADB devices offer USB port functionality for printer or file sharing, but the "network file sharing" feature -- which uses a samba daemon and holds the highest level of access rights for exploring network shares with root user permissions -- paves the way for attackers to exploit either a web GUI input validation or samba configuration file parsing problem to access the root file system by using a crafted USB drive.

TechRepublic: 3 mobile security tips to thwart fraudsters

This local attack then permits threat actors to edit system files, tamper with networks, escalate GUI privileges, add backdoors and sniffers, as well as access all stored credentials.

"Attackers are able to modify any settings that might have otherwise been prohibited by the ISP," the researchers say. "It is possible to retrieve all stored user credentials (such as VoIP) or SSL private keys. Furthermore, attacks on the internal network side of the ISP are possible by using the device as a jump host, depending on the internal network security measures."

The second vulnerability discovered by SEC Consult Vulnerability Lab, CVE-2018-13110, is a privilege escalation bug.

If an attacker has access to standard or low-access rights within the web GUI, they are able to gain access to the command line interface (CLI) system by exploiting a group manipulation error -- if the CLI has been previously disabled by configuration.

This allows threat actors not only to escalate their privileges but also gain access to sensitive configuration data and manipulate device settings.

"Depending on the feature-set of the CLI (ISP dependent) it is then possible to gain access to the whole configuration and manipulate settings in the web GUI and escalate privileges to highest access rights," SEC Consult Vulnerability Lab says.

The final critical vulnerability, CVE-2018-13109, is an authorization bypass bug.

In some versions of ADB firmware, combined with the feature sets of some ISPs, a standard user account may not have every feature available enabled. However, by adding a second slash in front of forbidden URL entry paths, authenticated attackers can bypass these restrictions.

CNET: How to buy the right security camera for you

Attackers can then access restricted settings and tamper with these elements at will.

The researchers first contacted ADB in June 2015, but it was not until July 2017 that the vendor was ready to release firmware updates to resolve the security issues. The fixes were rolled out gradually, leading to the public release of the security advisory this week.

Previous and related coverage