-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ======================================== Inokii Security Advisory Inokii-ID: 2014-01 ======================================== Affected Product: ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway Severity Rating: Important Impact: Username and password for the user interface as well as wireless network keys can be disclosed through SNMP. Description: The SBG6580 Cable Modem Gateway product specifications include SNMP v2 & v3 under Network Management. The management information bases (MIBs) of various device subsystems on the SBG6580 allows local network users to discover user interface credentials and wireless network key values through simple SNMP requests for the value of these variables. Given the security authentication in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the risk that the values can be disclosed through SNMP using the default read-only community "public". The issue was confirmed in software version SBG6580-6.5.0.0-GA-00-226-NOSH. Object Identifiers (OIDs): 1. Cable Modem Gateway User Interface a. Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 b. Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 2. Primary Wireless Network a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.32 d. WEP 64-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4 e. WEP 128-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4 3. Guest Wireless Network a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33 b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.33 c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.33 d. WEP 64-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.4 e. WEP 128-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.4 A Metasploit Framework module, sbg6580_enum.rb, was created to demonstrate the information exposure. The module can be found under Inokii's fork of the Metasploit Framework. https://github.com/inokii/metasploit-framework Disclosure Timeline: 2014-04-01 Issue reported to vendor 2014-04-10 Contacted vendor to verify advisory was received 2014-04-15 Vendor acknowledged that the disclosure was reviewed and expected to have a response shortly. 2014-05-17 Public Disclosure Acknowledgments: Researched by Matthew Kienow of Inokii. Reference: http://www.arrisi.com/modems/datasheet/SBG6580/SBG6580_UserGuide.pdf Contact: Inokii is a group of security professionals working together on information security testing, research and training. Email: advisory@inokii.com Web: http://www.inokii.com Disclaimer: Inokii is not responsible for misuse of the information provided in our security advisories. The advisories are a service to the professional security community. The information provided in this advisory is provided "as is" without warranty of any kind. Inokii disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Inokii be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Inokii have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTdXBWAAoJENNOLT+D8g74stsQALftSJDhiDUA8lCJl4ifHv45 8iXwGbf+xV7iw5cpkHJ9iwvtDoXlTN4TJWWaF5oX7N+jCqAAUKBC6YfNwDo+ulP2 /vUJOhlItsRQujpuMqqYYvQ2Iqh7WMetie40kvvZXCmnPlMqP9pGCp6ldEenHbNb QoUvQCekupdAZLjVrgvv2kTE/TYLOp0wtKnkUsS7TSA9il2ufz72Oaa+9HGx2A+m lEZdtZ0KHO/4ksyLuZ/VF3RgFzlOor0ASeOHXjpxYvdO7lGHIDigZ2GammhA/rM8 2GNVBzCuCOjBXS1t9fHCq6CtU8o4b+V7/EfhaLpQy9R7Tzzx9PRIN6dTbJxe64c/ BT304QIsEBwsfCVCS+4BOJyBW2LqHVizTgQIetzWx+kQ7e820z3sGOmTyoSdXqo1 n8Mze26jDVnerTUO5tVdL5GJqsqmmOqXiLm019MWmi2U5e+gJ96DXBzT40SuE9Me y/fPxOBEYExJNsSkOvja2Kug9/Flv9zMM7e7uUSQ4ooQAkyt5yg4g9MiMBjLlAGE 4ROLOPjQRiUa5toiqjbdWLkm/L73xoVXy8Y/e0wJtx7ikwUcazDyvbEpoXYtFXaI pOZstUHkFSPpoVo1JA6mVtg3amghq1XKp1ZfwcxeIdS3y35R/47Xz2SALOuhzEkP zNAL/k+vN7fmQ/d3YrAe =LoIt -----END PGP SIGNATURE-----