Verizon router flaw affects millions
Three vulnerabilities have been discovered in the Verizon Fios Quantum Gateway which could give an attacker complete control of a victim's network. The device is used by millions of Verizon home customers and functions as a home's wireless router and digital gateway. Researchers said the worst of these flaws is an authenticated remote command injection glitch in the gateway’s API backend. The vulnerability, CVE-2019-3914 lists it as a high-severity flaw. Command injection attacks are possible when an application passes unsafe user supplied data such as forms or HTTP headers, to a system shell. After exploiting the vulnerabilities, a hacker could change the security settings of the device, change firewall rules or remove parental controls. They could sniff network traffic to further compromise a victim's online accounts, steal bank details and swipe passwords.
The vulnerabilities exist in the API backend of the Verizon Fios Quantum Gateway model G1100, which supports the administrative web interface. Attacks of this type only requires intermediate skill levels. The remote command injection does require the hacker to either know the administrative password or have to captured and replayed a previous login request. If remote administration is enabled on the router, the attack can be carried out from anywhere with an internet connection. While Chris Lyne, a senior research engineer at Tenable, looked at Access Control rules in the Firewall settings of the API backend, Lyne discovered that the vulnerability could be triggered by adding a firewall access control rule for a network object with a crafted hostname.
In most cases, the vulnerability can only be exploited by hackers with local network access but if the remote administration is enabled, it is feasible. Once Lynn realized that he could inject a command, he then found ways to carry out further malicious attacks, such as stealing passwords. Lyne found that Verizon Fios Quantum Gateway has two other flaws that NIST categorized as CVE-2019-3915 and CVE-2019-3916. These flaws exist because the firmware does not enforce the use of HTTPS, so it is possible for a hacker to capture a login request, which contains a salted password hash.
Since HTTPS is not enforced in the web administration interface, a hacker on the local network segment could intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. The hackers can then take advantage of a password salt disclosure flaw, which allows an unauthenticated attacker to retrieve the value of the password salt by visiting a URL in a web browser. From there, a hacker can perform an offline dictionary attack to recover the original password. A dictionary attack is a brute force technique used for defeating an authentication mechanism by trying hundreds likely possibilities to determine the decryption key.
According to a Verizon spokesperson, security at Verizon is a top priority and that once they were made aware of the vulnerabilities, worked on fixing the flaws and deploying the patches. Verizon states that they have no evident of abuse and that customers don't have take any action. Verizon released patched on March 13, 2019, and are in the process of auto-updating all impacted devices. There are still a small number of devices that haven't been updated yet so users are urged to confirm that the router is updated to version 02.02.0013. If your router is not, contact Verizon immediately.