-
Notifications
You must be signed in to change notification settings - Fork 23
/
bastille-24.atom-ip-routing.txt
54 lines (23 loc) · 1.23 KB
/
bastille-24.atom-ip-routing.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
Bastille Tracking Number 24
CVE-2017-9481
Overview
A vulnerability has been discovered that enables an attacker to communicate with the internal network interface on the network processor (Atom) Linux instance.
Affected Platforms
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Proof-of-Concept
The NP Linux instance is configured with two IPv4 addresses:
[LAN] 10.0.0.254
[Internal] 169.254.101.2
The LAN facing address is accessible to computers connected over ethernet or the private Wi-Fi AP, and is used to host a UPnP server.
The internal address is not intended to be accessed by end users, and appears to be used for RPC, Telnet, and DBus.
An attacker can communicate with the internal address by manually routing through the LAN address, as follows:
ip route add 169.254.101.2 via 10.0.0.254
Test Environment
Cisco DPC3939, firmware version dpc3939-P20-18-v303r20421746-170221a-CMCST
Mitigation
There is no apparent mechanism to allow Comcast customers to prevent access to the NP internal IP address.
Recommended Remediation
Update the firewall rules to prevent access to the NP internal IP address from the LAN.
Credits
Marc Newlin and Logan Lamb, Bastille
Chris Grayson, Web Sight.IO