Overview
CVE-2016-15056 is a critical vulnerability affecting Ubee EVW3226 cable modem/routers. Firmware versions up to and including 1.0.20 store configuration backup files in the web root after they are generated for download. Crucially, these backup files remain accessible without authentication until the device is rebooted. This allows a remote attacker on the local network to retrieve the configuration backup and, because it is unencrypted, extract the plaintext admin password, leading to complete device compromise.
Technical Details
The vulnerability stems from the improper handling of configuration backups. When a user initiates a backup through the web interface, the Ubee EVW3226 creates a file, typically named ‘Configuration_file.cfg’, in the web root directory. The critical flaw is that this file is not protected by any authentication mechanism after creation. Therefore, any attacker on the same local network can directly request this file via HTTP using a URL like http://<router_ip>/Configuration_file.cfg.
Furthermore, the backup file itself is not encrypted. This means the attacker can simply open the downloaded file and search for the admin password, which is stored in plaintext. This provides the attacker with complete control over the modem/router.
CVSS Analysis
While the CVE record shows “N/A” for Severity and CVSS Score, this vulnerability should be considered HIGH severity. Its impact is significant because it allows for complete device compromise due to exposure of sensitive information, specifically the admin password, and the attack complexity is low, requiring only local network access. A local attacker could easily exploit this vulnerability without any special skills or knowledge.
Possible Impact
A successful exploitation of CVE-2016-15056 can lead to severe consequences:
- Complete Device Control: The attacker gains full administrative access to the modem/router.
- Network Manipulation: The attacker can change DNS settings, redirect traffic, and perform man-in-the-middle attacks.
- Information Theft: The attacker can access and steal sensitive information transmitted through the network.
- Malware Infection: The attacker can use the compromised modem/router to spread malware to other devices on the network.
- Service Disruption: The attacker can disrupt internet service for all users connected to the network.
Mitigation or Patch Steps
Unfortunately, official patches for this vulnerability may not be available due to the age of the affected devices. However, the following mitigation steps can be taken:
- Reboot Regularly: Rebooting the modem/router will remove the vulnerable configuration file from the web root. This is a temporary solution, as the file will be recreated upon the next configuration backup.
- Disable Remote Administration: If possible, disable remote administration access to the modem/router. This will limit the attack surface.
- Network Segmentation: If feasible, segment your network to isolate the Ubee EVW3226 modem/router from more critical devices.
- Strong Passwords Elsewhere: Although it doesn’t fix the Ubee vulnerability, ensure you use strong, unique passwords on all other devices and services connected to the network.
- Consider Replacement: The most effective solution is to replace the Ubee EVW3226 modem/router with a more secure and up-to-date device.
