[HN Gopher] VPN users unmasked by zero-day vulnerability in Virg...
___________________________________________________________________
VPN users unmasked by zero-day vulnerability in Virgin Media
routers
Author : feross
Score : 177 points
Date : 2021-09-20 11:18 UTC (11 hours ago)
(HTM) web link (portswigger.net)
(TXT) w3m dump (portswigger.net)
| driverdan wrote:
| Should be switched to the source:
| https://fidusinfosec.com/silently-unmasking-virgin-media-vpn...
| madjam002 wrote:
| These endpoints are available in modem only mode, but everyone
| I've asked who has a SH3 says that they're not affected by this
| and the endpoint doesn't return the IP address.
|
| If you're in modem only mode, block HTTP traffic to 192.168.100.1
| outbound from your firewall just to be sure.
|
| Seems relatively low impact, but still pretty bad. Not surprising
| from VM given the quality of their firmware.
| stordoff wrote:
| > everyone I've asked who has a SH3 says that they're not
| affected by this and the endpoint doesn't return the IP address
|
| What does it return in modem only mode? I've verified that
| <hubip>/snmpGet?oid=1.3.6.1.4.1.4115.1.20.1.1.1.7.1.3.1 on my
| Hub 3 returns:
|
| > { > "1.3.6.1.4.1.4115.1.20.1.1.1.7.1.3.1":"$xxxxxxxx" [public
| IP address encoded in hexadecimal] > }
|
| but I can't currently test it in modem only mode.
| aaronmdjones wrote:
| I did SSH port forwarding through my router so that I could
| access the modem; $ ssh -L
| 127.0.0.1:1234:192.168.100.1:80 root@router $ curl '
| http://127.0.0.1:1234/snmpGet?oid=1.3.6.1.4.1.4115.1.20.1.1.1
| .7.1.3.1' {
| "1.3.6.1.4.1.4115.1.20.1.1.1.7.1.3.1":"$00000000" }
|
| It does not appear to work in modem mode.
| aaronmdjones wrote:
| I've been running my VM superhubs in modem-only mode ever since
| I got them; with OpenWRT on my own router behind it.
|
| I've been blocking traffic to RFC1918 ranges (all of them) that
| attempts to egress the WAN interface for just as long.
|
| It's almost like I knew that eventually, someone was going to
| find a vulnerability in their web panel, and I wanted to make
| sure it wouldn't be exploitable.
|
| Oh wait, I didn't know. It's just common sense.
| rsync wrote:
| This is what a Network Slug[1] is for.
|
| "A Network Slug, or "Slug", is a transparent layer 2 firewall
| running on a device with only two interfaces."
|
| ...
|
| "A Slug has no IP address, cannot be reached on the network, and
| does not increment IP TTL."
|
| ...
|
| So, for instance, I have a port 22 slug that I can insert
| anywhere in the physical chain of a network that passively, and
| silently, blocks all traffic except for TCP 22.[2]
|
| You could clamp down further and restrict it to port 22 _and your
| specific VPN endpoint IP_.
|
| Foolproof ? Perhaps not - but a _huge_ piece of defense-in-depth
| that makes the use of a (port 22) VPN much safer.
|
| [1] https://john.kozubik.com/pub/NetworkSlug/tip.html
|
| [2]
| https://john.kozubik.com/pub/NetworkSlug/images/sg-1000-back...
| Angostura wrote:
| For context. This is Virgin Media which demands your passwords
| (including e-mail passwords) must be no longer than 10
| characters, must begin with a letter, not a number and cannot
| include any special characters.
|
| Security is not their priority.
| astrea wrote:
| This reignites my recurring question: Don't (at least some)
| password rules just shrink the problem space?
| zdragnar wrote:
| Yes and no.
|
| Having no rules means you have a maximum search space.
| However, a general audience means that the top X% (lets say
| 70 to be arbitrary) are going to be in a very small search
| space... An English word with maybe some numbers substituted
| in for a letter or two.
|
| OTOH, having password rules means that you eliminate the
| smallest areas of the search space, so every password resides
| in a restricted version of the larger space. Fewer possible
| passwords, but all at a larger complexity to guess.
|
| Then, there are password rules like "no special characters"
| or "maximum length of 10 characters" which are fantastically
| stupid and lazy, and only serve to make brute forcing them
| that much easier.
| colejohnson66 wrote:
| Maximum lengths _only_ make sense if your password field is
| stored as a SQL CHAR(10) (or COBOL if they're into that).
| Basically a fixed width field and that's too small for a
| hash. But even then, they're a horrible idea.
| SAI_Peregrinus wrote:
| They also make sense if you're using bcrypt since it has
| a 72-byte max input length. More modern password hashing
| fuctiions don't have such a short limit, so you can set a
| much bigger max length to prevent excessive network
| traffic & processing (eg 1kB). Since functions like
| Argon2 have very large max limits (2^32-1 bytes for
| Argon2) it can make sense to set a shorter limit.
| [deleted]
| lol768 wrote:
| The same Virgin Media of "Posting it to you is secure, as it's
| illegal to open someone else's mail." infamy.... [0]
|
| [0]
| https://twitter.com/virginmedia/status/1162756227132198914?l...
| bsd44 wrote:
| That happened to me. I wanted to reset my account password so
| they agreed to send a "password reminder" via post. I thought
| that was weird. I expected a temporary password which I will
| be forced to change upon login. To my surprise they printed
| my existing account password and sent it to me via postal
| mail! WTF! I went on Trustpilot immediately and saw they had
| 1/5 stars from 40k reviews.
| AlexAndScripts wrote:
| Unfortunately, criminals are in the habit of breaking the
| law...
| bmcn2020 wrote:
| Oh wow, even the year checks out.
| _0ffh wrote:
| Wow, that's just spectacular!
|
| Quick! Let's outlaw poverty, violence, theft and coercion,
| and we're good!
| shawabawa3 wrote:
| They also ask for your account password over the phone
|
| I think they now only ask for the X, Y, and Zth characters, but
| they used to ask for the whole thing
| lxgr wrote:
| Wouldn't this also be a failure of the VPN software used?
|
| If it allows some local addresses/hosts to be accessed, some
| information is always bound to leak I'd argue.
| bmcn2020 wrote:
| So all the while, for almost two years, Virgin didn't do squat
| about this. Gives me flashbacks to some of our disclosure
| interactions with PayPal and others.
|
| Wonder why issues like this are so common - do they just de-
| prioritize vulnerabilities reported by researchers to death?
| nvarsj wrote:
| Virtually no legal consequences for them. Virgin is also one of
| the worst consumer business I have ever interacted with (and
| this includes many big US ISPs with bad reputations). The
| company is beyond dysfunctional.
| lgats wrote:
| https://cve.report/CVE-2019-16651
| CodesInChaos wrote:
| I would consider the router untrusted when using a VPN, so
| blaming it for the attack seems misplaced. I'd go even one step
| further, and say that unprivileged applications using the VPN
| should have no way of discovering your real IP. Applications not
| using the VPN shouldn't be able to discover the VPN IP, at
| minimum not use/leak it by accident (e.g. via webrtc).
|
| IMO the safest way to access a VPN is from a VM which is
| restricted to that VPN. Like whonix, but using a VPN instead of
| Tor.
|
| In theory, deep integration into the OS (like Tails does for Tor)
| could work, but is much easier to get wrong, especially if you
| want direct network access for other applications.
|
| (Only talking about VPNs used for hiding your IP. Tunneling into
| a company network via VPN is a very different use-case)
| wyager wrote:
| I have a seedbox set up on freebsd with two jails. One jail
| runs wireguard and pf. The other jail runs transmission. They
| are connected by a virtual Ethernet cable (epair). The
| transmission jail can only talk to the internet via the VPN
| jail, which it is not aware of.
| CodesInChaos wrote:
| Jails/Containers should be fine as well.
|
| Just need to make sure host applications don't see the
| network interface provided by the VPN gateway, so they don't
| accidentally leak it (linking it to your real IP). A typical
| example are browsers when using WebRTC.
| cassianoleal wrote:
| I don't use it for torrent but I run Wireguard on my router
| and have 802.11q VLANs that only routes through each of those
| interfaces.
|
| This way all I need to do is tag packets on whichever device
| they come from and they only go out via that interface.
|
| I also have separate Wi-Fi SSIDs for each of those so
| changing my exit node is as simple as choosing a different
| one.
| supersnuiter wrote:
| >"published details of the flaw nearly two years after first
| alerting Virgin Media"
|
| Two Years !! - Ja this just makes me mad !
|
| Sure security issues happen to the best of them and us, but
| dammit being alerted to this and just ignoring it, tells you
| EXACTLY the level of competence of management and their
| commitment to YOUR data.
|
| If I may add a few data points, I recently had a look at some of
| the ISPs in my country, just "basic level stuff". I'm by no means
| a PEN-Tester. This is what I found:
|
| 1. ISP A
|
| 1.1 CLIENT-Side Localstorage, no validation: Thus if you are
| signed in, goto localstorage and change 'user-id:123' to 'user-
| id:456' - Congrats you are now logged in as user:456
|
| 1.2 All API's where you can pass in a user-id, did not check if
| you are allowed. Thus you can do "<broken-
| isp.com>/api/getuserinfo/<add-any-user-id>"
|
| 1.3 Same API, also brings back HASHED-PW and HASHED-PIN, I
| thought it was strange but what's the chance one can "crack" SHA
| on a PC these days, especially with 'proper' password libraries
| like bCrypt/Salt. Turns out there were NO SALTs added to hashed
| pw and it was SHA-256. Hashcat makes quick work of most
| passwords.
|
| PS was also "funny" how they "HASHED" the PIN (4 digit value)
| that was also returned in API response. If you think hashcat is
| fast with passwords, you know how fast it is to test the hash-
| values for [0000-9999] :)
|
| 1.4 Time to respond: I managed to have a phone call with the CEO
| which at least sounded (I do think the response was 100% sincere)
| UPSET, WORRIED and asked that I send him all the info and
| recommendations I have.
|
| Good response to a bad situation ! - Well done.
|
| 2. ISP B
|
| 2.1 Hmmm seems someone deployed a part of a .git folder to their
| website.. Only .git/INDEX and .git/HEAD were deployed but it was
| very easy to reconstruct the "commits/changesets" with something
| like GitTools and discovered part of the changesets was when they
| were doing lead generation via facebook and their CRM system. API
| keys were all hard coded and visible in changeset.(source code)
| Thus using the API keys one has access to their whole CRM it
| seems.
|
| 2.2 Company Response: Managed to track down CEO via LinkedIn,
| super nice guy and it's a BIG ISP. He was very upset about
| security and super thankful for my "responsible disclosure" he
| CC'd most of his exec-committee. CTO, InfoSec, COO and operations
| team. He's parting words. "I hope someday we can help you as
| well" ! Well done
|
| 3. ISP C
|
| 3.1 Wow they were/are just terrible. They have unauthenticated
| AJAX calls for their "account-pages,billing details, router
| details". You ONLY had to "guess" the account number (very
| predictable account numbering scheme)
|
| 3.2 Company Response: Spent a few days tracking down their
| contact details. Managed to find their emails for CEO, COO, and a
| few other "CxO" people. I emailed them about the security on
| their site. Do they have an InfoSec team or where should I send
| the details to ? He responded to send it to him (so we know the
| email address works). After sending proof and details of their
| complete lack of security I got zero response. After TWO weeks I
| followed up with the CEO and he only replied (send me your
| contact number, no phone call yet) but they did seem to fix the
| security issues only once I followed up.
| orra wrote:
| > Two Years !! - Ja this just makes me mad !
|
| Just goes to show that "responsible disclosure" can be a very
| misleading term...
| cmsj wrote:
| As a Virgin Media customer for some time now, and having
| previously worked for ISPs, I think I can say with some
| reasonable confidence that VM are a really really mediocre ISP.
|
| I almost admire how mediocre they are - they do _just_ enough to
| keep people on their service and because they 've done the work
| of laying cable to all the houses in an area, there's little
| incentive for OpenReach to lay fibre in those areas.
|
| I live in London and I can get Gigabit from VM (although only
| download, their upload is a pathetic 50Mb/s) so OpenReach has
| just left this area on crappy old copper phone lines and my
| alternative is <10Mb/s from DSL.
|
| It sucks and I hate it and I have absolutely no choice in the
| matter. Thanks capitalism! ;)
|
| Edit: Fun fact, VM is owned by Liberty Global, who have thus far
| rolled out IPv6 on their other ISPs using DS-Lite (where you get
| a routable v6 address, but your v4 address is behind Carrier
| Grade NAT). I saw this and decided to switch to VM's business
| service so I could get a static v4 address.... turns out they
| just connect normally over the residential network and then do a
| GRE tunnel to the other side of the country for the static
| addressing, and their crappy router will just randomly stop
| routing packets over the GRE tunnel after a couple of weeks,
| requiring a reset of the router.
| lilSebastian wrote:
| Home hub is a spectacularly poor piece of kit. Long start up time
| from powering on, high energy usage, really poor software (repeat
| soft bricking from remote updates at random times of day and
| night), historically awful attitudes to security (see other
| comments). Everything was better rub as Telewest/NTL.
| johnklos wrote:
| Nobody should use ISP provided equipment for anything security
| sensitive, ever. ISPs don't care about security at all, aside
| from "security" as a sales term, and aside from when they're
| getting a bad name because of egregious failures.
|
| ARRIS shouldn't be given a year embargo, either. They're the same
| company who've known since 2016 about hardware issues which
| cannot be corrected in software in the Intel PUMA chipsets, yet
| they still to this day sell devices with them. They don't care
| about fixing things - they care about selling things.
| stronglikedan wrote:
| Heck, AT&T won't even let you change the wifi password if you
| use their router. Well, you _can_ change it, but it will revert
| to whatever 's on the sticker when the router updates itself.
| And they will tell you this with a straight face. Incredible.
| [deleted]
| thejetset wrote:
| I think generally you don't get a choice when it comes to
| DOCSIS equipment. You can't just connect up your own (or at
| least no to Virgin Media's network)
| treesknees wrote:
| This is one of the few positives I'll give to
| Comcast/Xfinity. I'm able to purchase my own DOCSIS modem (as
| long as it's on their compatibility list) instead of renting
| one from them.
|
| AT&T U-verse I couldn't bring my own modem, and I understand
| that they're not a DOCSIS network either.
| InitialLastName wrote:
| With Optimum (nee Cablevision) they pretend to be BYO
| accessible, but their compatibility list isn't a guarantee
| of compatibility (depending on region, different devices
| are compatible but they would never tell you that on their
| website), you have to wait on hold for 3 hours to activate
| the device, and then it still might fail for reasons their
| support agents can never explain.
| silisili wrote:
| ATT is really weird about it. They apparently decided a few
| years back that they'd not allow third party devices on
| their network, and keep doubling down on it.
|
| Some folks smarter than myself figured out how to mimic the
| ONT handshakes or some such that they could use their own
| devices. IIRC, they were pulling the certs from the ATT
| box. ATT then came in and installed new stuff at the
| station to not allow that anymore. I don't remember all the
| technical details, but that's what I found when I spent an
| hour or so researching how to get rid of their awful box.
| In short, you can't...and even if you manage to, it won't
| be for long.
| chenxiaolong wrote:
| Any chance you have more details on this? I set up
| wpa_supplicant on my router to do the 802.11x auth to the
| ONT and short of a single "your modem/router is not
| phoning home"-type email, it's been working great the
| past year. Hoping this does not break in the future.
| silisili wrote:
| I don't have time to re-research it all ATM, but a quick
| Google search, I think this is the thread -
|
| https://www.dslreports.com/forum/r32839785-AT-T-Fiber-
| Gatewa...
| lebrad wrote:
| Comcast makes you downgrade to a business account if you
| want to get a reverse DNS entry from them. Reverse DNS is a
| requirement if you want to host your own e-mail and not
| have your mail categorized as spam. Comcast business
| accounts don't allow you to use your own DOCSIS modem.
| joecool1029 wrote:
| >Comcast business accounts don't allow you to use your
| own DOCSIS modem.
|
| Not true. I have multiple business locations using
| customer owned surfboards.
|
| Might be a requirement for static addresses but it's not
| for business service in general.
| ArchOversight wrote:
| You only need their Comcast Business modem if you have
| static IP's because they route them using RIP with a
| password that is set inside the cable modem with their
| custom software.
|
| If you don't have a static IP with Comcast Business it
| makes it awfully hard to run a mail server, but then you
| can indeed use your own cable modem.
| mikepurvis wrote:
| Rogers network in Canada also permits BYO-- I've used my
| own modem for years as a TekSavvy cable customer, and
| recently upgraded from one owned modem to another (both
| purchased second hand, though, so who knows-- maybe I've
| been pwnt all along).
| AlpineG wrote:
| Virgin Arris routers can be put in modem mode you put your
| own router behind it. I guess this solves most shortcomings
| and security issues.
| myself248 wrote:
| I brought my own modem to WideOpenWest, and it wasn't even on
| the compatibility list. Just gave them the MAC, and a few
| moments later I had DHCP. Been solid for 9 years now.
|
| Although as of a few weeks ago, WOW has announced bandwidth
| caps, so I have to rescind my former glowing recommendation.
| Le sigh.
| dangerface wrote:
| Looks like they don't offer services in the UK.
| deanclatworthy wrote:
| You can take those routers and use it as a modem only. Then
| put your own router in front of it.
| stordoff wrote:
| I haven't tried it myself, but this chain of comments at
| /r/netsec[1] suggests it doesn't help:
|
| > I'm guessing a workaround is to use a 3rd party router
| and block traffic to 192.168.100.1 which is the IP of the
| management UI when in modem only mode, presumably the
| external IP can still be retrieved in modem only mode
|
| > If it's still active in modem-only mode, it essentially
| precludes use of these routers entirely for any sensitive
| comms.
|
| > The web interface is still available in bridge mode with
| Liberty Global's Arris modems, yes.
|
| > Just tried it on my device in modem-mode and it does
| indeed still expose the snmpGet endpoint. As suggested
| above, i've firewalled all traffic to 192.168.100.1 on my
| own firewall.
|
| [1] https://www.reddit.com/r/netsec/comments/pnzs0n/silentl
| y_unm...
| buggeryorkshire wrote:
| It's still not really modem-only mode. They do routing in
| there, mainly for their management layer.
| Semaphor wrote:
| I must admit, I don't know much about networking. But do
| you have some more information there? My German cable
| router is in modem-mode, and I'd be interested in knowing
| what kind of routing it still does.
| lxgr wrote:
| DOCSIS networks usually assign some management IP address
| that the provider can access to perform remote
| diagnostics on the modem directly. It's usually invisible
| and inaccessible to the user.
|
| Also, in many cases there is a specific that the "modem"
| listens on, serving a web interface that allows switching
| back to "router" mode. This also wouldn't be possible
| with a "pure" modem (as it shouldn't have any concept of
| the IP layer).
| thrashh wrote:
| Note that even many actual DOCSIS modems have management
| interfaces and are not pure.
|
| I have always been able to view the management page for
| my Arris/Motorola Surfboard modems.
| Semaphor wrote:
| That makes sense. After all, I weirdly had to use their
| webinterface to even put it into modem mode. Thanks.
|
| Though now that I'm thinking of it, are you sure it uses
| IP? It's not as if they can't use other layers.
| LilBytes wrote:
| Can't speak for all Telco's but in Australia, DOCSIS
| modems are registered by their MAC address on the modem
| it's self. Not by IP address.
|
| I can't imagine this is different else where so it's
| likely the replying comment above yours is incorrect.
|
| Source: I was previously a network engineer for a
| national Telco.
|
| Other sources: DOCSIS 3.0 registration info:
| https://volpefirm.com/docsis-3-0-cable-modem-
| registration/
| lxgr wrote:
| Registration/network access and management are two
| different things, no?
| LilBytes wrote:
| Not always, with Telstra the MAC address was also
| responsible for authentication.
|
| Though I believe it's since changed, my last interaction
| with DOCSIS was 4-5 years ago. I seem to recall there's a
| captive portal involved now but previously it was solely
| MAC.
| dangerface wrote:
| Virgin used to just use the mac address with their old
| modems, you could flash the firmware and change the mac
| so you could buy their cheapest package and flash the mac
| of a modem with unlimited gbit internet. They craked down
| on that a few years ago tho so I don't think this is
| possible anymore.
| lxgr wrote:
| Modern DOCSIS also uses certificate-based authentication.
|
| Only the owner of a given MAC OUI is able to create a
| certificate covering MACs under it that will be accepted
| by the CMTS.
| gruez wrote:
| But that's fine right? If your ISP wants to send you bad
| packets having your own equipment isn't going to stop
| them either
| kevin_thibedeau wrote:
| Which then burdens you with a double NAT which shouldn't
| ever be necessary if the industry had their shit together.
| nly wrote:
| No you don't. In modem mode the VM routers only issue a
| single IP (the internet facing IP) over DHCP to a single
| host (your router)
| guipsp wrote:
| Fwiw not all modems support this (and some do but the
| ISPs disable it).
| mugsie wrote:
| Virgin Media allows you to use "modem mode" on their
| service, which is great, because it also turns off the
| CGNat crap, and gives you a real IPv4 address via DHCP on
| your own equipment
| saurik wrote:
| (I bought my DOCSIS 3.whatever cable modem to use with Cox
| Cablevision myself at Best Buy after deciding which one I
| thought would be the best.)
| Crosseye_Jack wrote:
| In the UK, Virgin Media (The biggest cable provider, I
| think there maybe a couple of minor regional cable
| providers still dotted around the country) are the largest
| cable provider after buying up the smaller regional
| companies (My regional provider was brought up by
| Telewest).
|
| Long story short, their was tons of regional providers,
| they were brought up by one of two players which basically
| devided the country into being served by either NTL or
| Telewest, NTL and Telewest then merged becoming
| NTL:Telewest, who then brought Virgin Mobile (an MVNO in
| the UK) to become a 4 way provider (TV, Phone, Internet and
| now Mobile). Virgin Media are now owned by a US conpany,
| Liberty Global iirc)
|
| Neither NTL nor Telewest allow consumer owned equipment
| onto their cable internet network, heck I remember Telewest
| only authing one consumer device mac address to be
| connected to their modems at the start of their cable
| internet rollout (so if you wanted to use your own router
| conencted to the modem, you would either have to give
| Telewest the mac address of the router or set the mac
| address of the WAN port to the mac address of the computer
| that was initially conencted to their network (which was
| the quickest option, you could never get them to swap it
| instantly over the phone, but could doing business hours
| over telewests newsgroups as their engineers would hang out
| their, which used to be the quickest way to get your line
| serviced if their was ever an issue), a practice telewest
| did drop before they merged with NTL. NTL never had such a
| policy iirc, but I only lived in an NTL area for a couple
| of years).
|
| Their modem secuirty has never been "great". For the
| longest time (since creation till only a few years ago) you
| were able to get free internet if you cloned the mac
| address of someone elses modem but used it in a differnt
| area, mac addresses that could be captured by any modem
| (provisioned or not) connected to the network. So there
| used to be mac swapping forums where X would scan and log
| their area can trade with Y who would to the same in theirs
| (used to be handy when they had "fair usage" trottling
| enabled, used your download limit for the day, swap your
| mac and get a new limit, or if you wanted to run a
| 2nd/3rd/4th modem, but that would be naughty... So I never
| did such a thing. IIRC: Modem cloning is still possible
| today, but you need to get the certs from a provisioned
| modem, so its not as simple as just sniffing mac address
| from the cable line as other modems register on the
| network).
|
| Here in the UK, we have always been limited to the modem
| the cable company provided, which remained their property
| (both were often uncollected by the company when a customer
| left, so you could easily find old modems on ebay for
| pennies on the pound, which just happened to have thier
| unsigned firmware (and mac addresses) on SPI flash if you
| wished to tinker with them), which for 99% of the UK was
| fine, as it was common (and still is) to just used what
| ever device was issued to you. Atleast with ADSL/VDSL in
| the UK you are free to use what ever device you wanted
| (except for Sky, they used to be PITAs about getting the
| auth details to run your own modem, but once you did and
| aslong as your modem supported their auth (which isn't the
| auth used by most of the xDSL providers in the UK) you were
| free to use your own equipment, just "unsupported" so if
| you had issues on your line, it was best to connect their
| modem to the line before calling customer services.
| cmsj wrote:
| Last time I had a modem upgrade from VM, the guys said I
| should keep the old modem and VM would contact me to send
| it back.
|
| Five months later I sent it off for recycling because i'd
| heard nothing. Two months after that they asked for it
| back and then charged me PS80 for not having it anymore.
| Crosseye_Jack wrote:
| Back in the day they never bothered chasing up the modems
| even though they had wording in the contract they could
| charge if the equipment wasn't returned, the equipment
| was never given to the customer but loaned for "free",
| they were more pissy about their TV boxes, when I left
| them they kept sending threats to charging me for the
| boxes, I kept asking them to either collect them or send
| me pre-paid postage and I would send them back (was
| always "well mail one out" and they never did). One day I
| was in a pissy mood after another treat, drove down to
| the regional head office (at the time it was about 4
| miles away) slapped them down on the receptionists desk
| with the threat letter and demanded a receipt.
|
| Never heard from them again.
|
| BT do the same these days with their hubs (or at least
| were planning to, dunno if they changed their minds after
| the backlash), BTs excuse is to reduce electronics waste.
| Not that we're going to reuse the gear themselves more
| that they would recycle it.
|
| BE (before they were brought out by o2) would send you
| out a "cat trap" modem on the condition you returned it
| if you left (so they could give it to ant or customer as
| a cat trap) but didn't really give a crap about the
| primary modem.
| hellbannedguy wrote:
| Bestbuy likes to push the $300 modems. They do carry a $69
| one on the bottom shelf, if it's stocked.
| wrkronmiller wrote:
| Correct, but in this case, it sounds like you didn't need to
| use the ISP router as your VPN gateway.
|
| If I understand the DNS rebinding attack reference correctly,
| you could be running the VPN software on your desktop/laptop
| and still have your IP revealed by your ISP router.
| lxgr wrote:
| Arguably, a setup using a VPN for anonymity purposes is badly
| flawed if it allows traffic to anything but the VPN gateway.
| This includes the local network.
|
| Mediocre home appliances or (as in this case) ISP CPEs can
| easily deanonymize you.
| mindslight wrote:
| Yes, but you do want deliberate access to specific services
| on the local network. Mainly NFS exports and the like.
| lxgr wrote:
| Yes, but that's a deliberate security-convenience trade
| off then.
|
| One solution is to use proxy servers or per-app VPNs
| (without local network access) instead of a system-wide
| VPN, and effectively partition applications into trusted
| and untrusted ones.
| mindslight wrote:
| I've done that partitioning with virtual machines. I
| don't see how it's a "tradeoff". Yes, every additional
| service you expose can have its own security flaws, but
| you have to get data in/out of a VPN'd VM somehow. Even
| if I allocated more local storage to the VM and only
| ssh'd in to send/receive files, the ssh client could have
| a hole in it. nfsd, samba, sshd, and ssh are designed to
| do singular jobs. The issue in this case is the exposing
| of a consumer router that was never designed for security
| from the local network.
| RicoElectrico wrote:
| Yeah, avoid ARRIS whenever you can. Their modems make cable
| internet a dreadful experience, which it shouldn't have been.
|
| Here's the list with modems affected by the hardware bug you
| mentioned: https://www.badmodems.com/
| SkyPuncher wrote:
| Holy shit. I've been dealing with this for the past 2 years
| and it's infuriating. I've tried everything and eventually
| diagnosed it as a bug in my modem. Random latency spikes,
| unbelievably jittery internet calls, hard to diagnose.
| antattack wrote:
| It's worth pointing out that not all Arris modems are
| affected. As the link provided describes - issue is with
| chipset inside and there are other brands that use it [1]
|
| [1]https://approvedmodemlist.com/intel-puma-6-modem-list-
| chipse...
| selykg wrote:
| Was going to say, I've only ever used Arris modems and
| really haven't had any issues with the Surfboard line in
| ~15 years of using them. They used to be part of Motorola,
| not sure when that switch happened, but I've used them in
| some form or another since getting cable internet back in
| the late 90s or early 2000s. Time flies.
| beermonster wrote:
| Users of ISP modem routers should put them in modem mode and use
| their own equipment for reliability and security - where
| possible.
|
| VM ones can be put in modem mode.
| azalemeth wrote:
| Not only that, but mandate a route only to 192.168.1.1 (or
| whatever) and _not_ the whole 192.168.x.x address space (which
| this exploit uses -- I didn 't know there was a separate
| management interface on 192.168.100.1 until a poster above
| mentioned it.
| billyjobob wrote:
| Why is the web browser allowing the Javascript program to access
| a different server than the one it was loaded from? They call
| this a "DNS rebinding attack", and it seems it could compromise
| any router that doesn't have a password set, not just this
| router? So isn't the real problem here the _browser_ running
| untrusted code and giving it access to your local network because
| it didn 't check if the DNS had changed?
| yardstick wrote:
| I wish browsers would solve the problem by using TLS (ok that's
| a website operator issue) and discarding any javascript loaded
| from a different certificate for the same domain.
| afrcnc wrote:
| A better write-up is the available in the actual source here:
| https://fidusinfosec.com/silently-unmasking-virgin-media-vpn...
| buro9 wrote:
| This appears to use API endpoints that are available if the modem
| is in ISP mode and acting as the Wi-Fi, etc.
|
| Does this also affect the router when used in modem mode?
| nly wrote:
| How is this not prevented by same origin policy etc?
| dividuum wrote:
| Since they mention a DNS rebinding attack, I would assume the
| victim visits or is redirected to attacker.com. This then has
| all the JS to talk to the unsecured router API endpoints. Now
| after a few seconds the attacker.com's IP address is switched
| to 192.168.0.1 (or whatever the routers default IP is) and
| zap: the SOP is circumvented.
| stordoff wrote:
| Comments at /r/netsec[1] suggest yes, but I haven't verified
| this:
|
| > Just tried it on my device in modem-mode and it does indeed
| still expose the snmpGet endpoint. As suggested above, i've
| firewalled all traffic to 192.168.100.1 on my own firewall.
|
| [1]
| https://www.reddit.com/r/netsec/comments/pnzs0n/silently_unm...
| inetsee wrote:
| This may be a very naive question, but is there a way for someone
| who is not knowledgeable about all the internet security issues
| discussed here of checking if my IP address is, in fact, being
| leaked when I'm using my VPN service?
| inetsee wrote:
| Never mind. I checked ProtonVPN's support page and there is a
| web page provided that shows my public IP address when I'm
| connected through the VPN, which is different from my IP
| address when I'm not connected through the VPN.
|
| Am I correct in assuming that this means that I'm not exposed
| by the vulnerability described in the article?
| jonathanstrange wrote:
| Recently I tried to find a VPN providers who fully supported
| IPv6. There were only few options and they were much on the
| expensive side. Of the remaining IPv4 VPNs only few warned you in
| their docs about switching off IPv6, even fewer switched it off
| while running, and one I'm aware of switched it off forever in a
| sneaky way on Windows that involved continuously overwriting
| registry keys, which on the one hand was laudably paranoid but on
| the other hand caused endless hours of troubleshooting for me. In
| a nutshell, if your computer has a IPv6 address as it should
| have, the software from most commercial VPN providers will leak
| your IPv6 IP all the time to all websites and make you easy to
| identify.
|
| I suppose this is well-known to savvy users and sysadmins, but
| still thought it worth mentioning in the context if this more
| general router vulnerability. Some of the cheaper VPN services
| out there are very insecure anyway.
| SahAssar wrote:
| Mullvad supports ipv6, are reasonably priced and do not do the
| sort of dirty marketing that many other VPN companies do.
| dangerface wrote:
| As one of those edge cases im glad I don't use their router and I
| am even happier that doing so makes them sad.
___________________________________________________________________
(page generated 2021-09-20 23:02 UTC)