Multiple security vulnerabilities have been revealed in Verizon Fios Quantum Gateway Wi-Fi routers which permitted remote attackers to take total control over the affected routers and exposing every device connected to it.
The flaw was discovered by the cybersecurity researchers at Tenable and according to Chris Lyne, a senior research engineer, there are three security vulnerabilities which has been named as CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916. The flaws are authenticated command injection (with root privileges), login replay and password salt disclosure vulnerabilities that affects the Verizon Fios Quantum Gateway router (G1100).
Verizon Fios Quantum Gateway Wi-Fi routers are used by millions of consumers in the United States
Authenticated Command Injection Flaw (CVE-2019-3914)
Chris while reviewing the log file on his router found that the “Access Control” rules in the Firewall settings, available in the router’s web interface, was not properly sanitizing the “hostname” parameter while passing the values as part of a command to the console.
So, it is possible to manipulate the Firewall command by injecting a malicious input as hostname, finally allowing an attacker to execute arbitrary code on the affected device.
It is important to note that in order to exploit this vulnerability (CVE-2019-3914) the attacker has to first get access to the router’s web interface, which itself reduces the attack surface unless the victims are not relying on the default or weak passwords.
Also, the affected routers do not have remote administration enabled by default, which further reduces the threat of Internet-based attacks.
There are two attack scenarios that let an attacker to execute commands remotely. First, the insider threat would allow an attacker to record the login sequence (salted hash) using a packet sniffer. Either through legitimate access (a house guest) or social engineering (customer support scam), an attacker could obtain the target router’s administrator password from the sticker on the router and public IP address. They can then either turn remote administration on, confirm it is enabled, or use the same social engineering ruse to have the victim enable it.
Then, the attacker can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router’s underlying operating system. From here, they have control of the network. They can create back doors, record sensitive internet transactions, pivot to other devices, etc.
The Verizon router also supports Java because of Embedded JVM (Java Virtual Machine) and so an attacker can upload a Java-based payload to get a reverse shell with root privileges to launch further attacks. In order to execute a Java reverse shell, the attacker has to just upload and run a Java class.
Login Replay and Password Salt Disclosure Flaws
The second vulnerability which has been identified as CVE-2019-3915 exists because the web administration interface of router relies on the insecure HTTP connection.
It allows network-based attackers to intercept login requests using a packet sniffer and replay them to gain admin access to the web interface.
The third vulnerability named as CVE-2019-3916, allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.
Since the router firmware does not enforce HTTPS, it is possible for attackers to capture a login request containing salted password hash (SHA-512), which can then be used to recover the plaintext password.
The vulnerabilities have been reported to Verizon, who has replied and addressed them in new firmware version 02.02.00.13, which will be applied automatically.
It is necessary that the users have to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information.
The Shodan search revealed that almost 15,000 Verizon Fios Quantum Gateway Wi-Fi routers with remote administration were accessible on the Internet.