• Broadband, Telephony & TV
  • Broadband & Telephony
Reply
beetroot
New Contributor New Contributor
Member since 7th Mar 2014
2 Posts
Accepted Solution

Netgear cg3000v2 back door vulnerability

[ Edited ]

There is a serious vulnerability in the CG3000v2 that enables anyone on the Optus network to access another user’s cable modem (cm) via a rather thoughtlessly open back door. Before I get into it I want to make it clear that it has nothing to do with the http configuration page available on the device , nor the remote access http configuration page which can only be enabled manually.

 

I am not going to reveal technical details of this vulnerability for obvious reasons. I am not a hacker and have been going mad not knowing what to do as a result of discovering this vulnerability. I am concerned that if I discolse too much information then Optus will suspend my account however the consequences associated with the existence and exploitability of this vulnerability far outweigh any consequences that I may be faced with. I have therefore chosen to disclose some of what I have discovered on this forum so that Optus may hopefully take notice and do something about it.

 

If an attacker has access to an internet connected device on the Optus network (by Optus network I don't mean just the residential cable modem network) they may be able to connect to any CG3000v2 via this back door, view a victims Optus SIP settings (including their phone number) and connect to sip01.yesphone.optus.com.au and register, make and receive phone calls from that victims account. The SIP secret is stored in plain text and visible to an attacker. The attacker can also:

 

-View a log of all recent phone calls that the victim has made

-View and change their cable modem access passwords

-View details about devices that are currently connected to the cm in the victim’s home network via dhcp and static

-Enable and disable advanced features that are not available via the standard http config page including accessing non-volatile system configurations that will persist after restart

-Make changes to network settings, route, rip, arp

-View a victim’s SSID and Passphrase (again in plain text)

-Find out a victims public IP address and determine their geographic region.

-Enable remote management if the cm

-Essentially, an attacker can take total control of your cm

 

The above list is a sample of certain things an attacker can exploit and again NO THE BACK DOOR IS NOT THE HTTP REMOTE ACCESS PAGE, THE VULNERABILITY IS NOT EXPLOITED VIA HTTP. It is a separate service that is running out of the box on all CG3000v2 devices. The CM does not need to be modified or tampered with, nor is the installation of malicious software required.

 

As a result of this vulnerability an attacker with software skills could create a program to scan for CG3000v2 CM's that are connected to the Optus network and build a database of information about each device containing all the details above plus more. Imagine the impact on customers here people. Your home phone number could potentially be used maliciously. I have not done this.

 

If a subscriber on the Optus network fell victim to a Trojan or other form of RAT then this vulnerability could be exploited by an attacker on the other side of the planet that has gained access to a victims computer on the Optus network.

The most concerning thing here aside from losing control of your cm is that the attacker can access the SIP details of a victims account.

 

Optus get your techies to check this out!

 

If this post is not responded to by an Optus moderator by Midnight on Sunday the 9th of March 2014 then I will pursue this further with the mainstream media as I am sure that they will be interested in the details of this vulnerability if you aren't.

 

I would like to reiterate that I am not a hacker, I am not seeking any publicity and I am not doing this for personal gain or financial gain. I could not think of any other way to broadcast this to Optus other than the manner in which I have done so. I would also like to state that I have discovered the vulnerability by connecting to my cm via this back door as well as a colleague's with their authorisation/permission.

 

Furthermore, if by posting this text I have divulged information allowing an attacker to exploit this vulnerability, this is not my intention and is done so unwillingly. My main intention and objective is for Optus to investigate and somehow patch this vulnerability. It would also be in Optus' best interest to promote a service whereby they encourage members of the public to come forward with security concerns without the risk of reprimand. If such a service exists it does so outside of my knowledge. I contemplated contacting Optus via phone and email to divulge this but hesitated out of fear of being misunderstood and labelled by Optus as a hacker.

 

Lastly, this vulnerability may apply to Telstra if they issue the same CM to their customers, as well as other Netgear CM's. I am unable to prove this as I do not have access to any other network or CM aside from the Optus issued Netgear cg3000v2.

beetroot
New Contributor New Contributor
Member since 7th Mar 2014
2 Posts

Re: Netgear cg3000v2 back door vulnerability

Thanks to Ben Grubb from Fairfax who raised this with Optus on my behalf (Default password leaves tens of thousands of Optus cable subscribers at risk).

To the rest of the community. Optus have sent me an email via Ben, advising that they "will not be taking any legal action based on what has been provided" to them.

The message subsequently reads:

"In fact we would like to talk to the gentleman concerned so that we can apologies for missing his previous post and to thank him personally for raising this issue with us.

We would also like to offer him to come and meet with the engineers involved so he can talk through the issue and give us feedback on what he feels would be good initiatives and practices re this type of issue in the future."

I appreciate the invitation but have yet to decide whether I will accept it and have chosen to continue to remain anonymous.

carrot
New Member New Member
Member since 18th Sep 2014
1 Post

Re: Netgear cg3000v2 back door vulnerability

I recently subscribed to Optus Cable and was provided this model and have a new problem which I wanted to share with and possibly identify the issue.

 

This is the router as you see it on the screen shot:

 

 

 

The logs show that someone has logged out and the router resets dropping both the phone line and internet at the same time while it resets everytime the ssh user logs out.

 

 Thu Sep 18 16:11:29 2014   Critical (3) 

 SSH user logged out. 

 

The system uptime tallies with the user login and reset:

 

Status
System Up Time0 days 04h:54m:47s

 

The reset happens on a regular basis and I dont remember the router up for more than 2 days. I am not sure if anyone has already experienced it.

 

I have already raised it with Optus and heard no valid response but they are just beating around the bush.

 

Secondly, I have also raised concerns with my phone line that is bundled with the Cable connection. When asked about the phone (SIP) traffic being separated or included on my data allowance, no valid response again.

 

I am sure someone out there would have some clue.

Ryan
Moderator Moderator
Member since 11th Jan 2012
1,952 Posts

Re: Netgear cg3000v2 back door vulnerability

Hi carrot – thanks for raising your concerns in regards to the connection issues you’re currently experiencing. If you wish to shoot your details through to me via a Private Message I can absolutely take a closer look over the specs on this line to see if they correlate with the drops you’re experiencing on your end as this would have no impact on the connection itself – though we can definitely check this out for you.

 

In regards to the ‘SSH User Logged Out’ log that’s visible in the modem log – this is an unsuccessful login attempt most likely due to a port scan, from the LAN or the WAN. If a successful login occurs there would then be log showing ‘SSH User Logged In’ as well as a visible public IP of the person who is logged in as you can see in the below example:

 

SSH User Logged Out Example.png

 

We can also assure you that any (SIP) voice packets during phone calls are not counted against monthly data allowance. I hope this answers your concerns sufficiently :smileyhappy:

___________________________
Have you seen something helpful? Don't forget to give it a kudos. Asked a question and got an answer? Make sure you mark it as an accepted solution!

Please ensure you abide by the community guidelines. All moderation actions are final.

davids1969
New Contributor New Contributor
Member since 10th Aug 2014
3 Posts

Re: Netgear cg3000v2 back door vulnerability

Hi,

 

You mentioned "In regards to the ‘SSH User Logged Out’ log that’s visible in the modem log – this is an unsuccessful login attempt most likely due to a port scan, from the LAN or the WAN. If a successful login occurs there would then be log showing ‘SSH User Logged In’ as well as a visible public IP of the person who is logged in as you can see in the below example:"

 

This ALWAYS corresponds with my modem losing conncetion to the optus.  Since I have moved over to optus cable I have had the same number of net 'dropouts' I had on Optus ADSL and Telstra ADSL (one of the reasons I switched to cable).

 

You can see in my log the number of attempts and when I am at the machine I always log into the modem page and check why I lost internet connection....timed to the SSH user logged out rubbish.

The last one was today while I was trying to play an online game, sure enough check the event log and SSH user logged out.

 

Sat Sep 27 13:27:15 2014   Critical (3)  SSH user logged out. 
 Time Not Established  Warning (5)  DHCP WARNING - Non-critical field invalid in response ;CM-MAC=XX:XX:XX:XX:XX:dc;CMTS-MAC=XX:XX:XX:XX:XX;CM-QOS=1.0;CM-VER=3.0; 
 Time Not Established  Notice (6)  Honoring MDD; IP provisioning mode = IPv4 
 Thu Sep 25 21:41:31 2014   Critical (3)  SSH user logged out. 
 Thu Sep 25 01:20:56 2014   Critical (3)  SSH user logged out. 
 Time Not Established  Critical (3)  No Ranging Response received - T3 time-out;CM-MAC=XX:XX:XX:XX:XX;CMTS-MAC=XX:XX:XX:XX:XX;CM-QOS=1.0;CM-VER=3.0; 
 Mon Sep 22 17:07:53 2014   Critical (3)  SSH user logged out. 
 Mon Sep 22 17:04:06 2014   Critical (3)  SSH user logged out. 
 Mon Sep 15 21:43:08 2014   Critical (3)  SSH user logged out. 
 Thu Sep 11 22:57:32 2014   Critical (3)  SSH user logged out. 
 Time Not Established  Critical (3)  No Ranging Response received - T3 time-out;CM-MAC=XX:XX:XX:XX:XX;CMTS-MAC=XX:XX:XX:XX:XX;CM-QOS=1.0;CM-VER=3.0; 
 Thu Sep 11 22:50:38 2014   Critical (3)  SSH user logged out. 
 Sat Sep 06 11:10:05 2014   Critical (3)  SSH user logged out. 
 Sun Aug 31 15:23:20 2014   Critical (3)  SSH user logged out. 
 Sat Aug 30 11:27:55 2014   Critical (3)  SSH user logged out. 
 Wed Aug 27 21:53:14 2014   Critical (3)  SSH user logged out. 
 Sat Aug 16 19:53:32 2014   Critical (3)  SSH user logged out. 
Ryan
Moderator Moderator
Member since 11th Jan 2012
1,952 Posts

Re: Netgear cg3000v2 back door vulnerability

Thanks for getting back to us. This does seem like quite a few entries - if you wish to send me a Private Message with your Internet Username I can then take a closer look over your service from our end during the times listed in your log to see if anything stands out on this line for you.

___________________________
Have you seen something helpful? Don't forget to give it a kudos. Asked a question and got an answer? Make sure you mark it as an accepted solution!

Please ensure you abide by the community guidelines. All moderation actions are final.

kimitj1
New Contributor New Contributor
Member since 1st Nov 2014
3 Posts

Re: Netgear cg3000v2 back door vulnerability

I also see this SSH User logged out fairly frequently along with CM unable to register/TFTP retries exceeded errors.

 

I'm having all kinds of intermittent network issues and continually rebooting the modem isn't the long term solution.

Ryan
Moderator Moderator
Member since 11th Jan 2012
1,952 Posts

Re: Netgear cg3000v2 back door vulnerability

Hey kimitj1 - when you're experiencing issues with your service, is this while physically connected to the modem via an Ethernet cable or while connected through wifi? I'm happy to take a closer look over the specs on this line for you if you wish to shoot me a Private Message including your Internet Username.

___________________________
Have you seen something helpful? Don't forget to give it a kudos. Asked a question and got an answer? Make sure you mark it as an accepted solution!

Please ensure you abide by the community guidelines. All moderation actions are final.

lxk
Visitor Visitor
Member since 7th Nov 2014
1 Post

Re: Netgear cg3000v2 back door vulnerability

Hi Ryan,

 

My Netgear Cable modem is also plagued by constant attacks, it's seriously interrupting my service. I'm also seeing the "SSH User Logged out" entries in the event log. When I first signed up to the service, it was fantastic - I could get 3MB/s down and it was always consistent.

 

Now my connection and phone will both disconnect multiple times a day, most frequently at night

 

Can Optus recommend a modem I can purchase that isn't affected by this problem?  Or can you assist in resolving this issue from the Optus network layer?

 

Thanks

Ryan
Moderator Moderator
Member since 11th Jan 2012
1,952 Posts

Re: Netgear cg3000v2 back door vulnerability

Hey lxk - if you can shoot me a Private Message including your Internet Username I'll take a closer look over the specs on your line, as it sounds like there may be a possible line or equipment issue on your end that will need seeing to.

___________________________
Have you seen something helpful? Don't forget to give it a kudos. Asked a question and got an answer? Make sure you mark it as an accepted solution!

Please ensure you abide by the community guidelines. All moderation actions are final.

Did You Know?

You can SMS ‘menu’ to 9999 to find out your account balance, due date, notify us of a recent payment, request a payment extension + lots more! There’s lots of options for Pre-Paid customers too ;) It’s super easy to use

Users Online
Currently online: 4 members   |   59 guests
Recent signins:
Please welcome our newest community members: