
Modems distributed by AT&T vulnerable - crgt
https://threatpost.com/bugs-in-arris-modems-distributed-by-att-vulnerable-to-trivial-attacks/127753/
======
laken
I don't understand how so many internet connected device's manufacturers don't
even _think_ to check if they have an open ports, _especially_ an open SSH
port. Or is it that they just don't care? I can't tell anymore.

~~~
monocasa
Try and probe a big ISP switch sometime. They're generally running an ancient
unpatched Linux and SSH with known vulnerabilities.

They don't care about their own crap, much less yours.

~~~
X86BSD
And until we have liability laws written to hold them accountable for not
maintaining the security of their products this will continue to be the case.

------
yegle
I'm very interested to get a copy of the said vulnerable firmware to poke
around. How can I get one?

One use case is for ATT Fiber users to get the 802.1x certificate from the
router, and use your own router instead (RouterOS etc.).

~~~
esaym
Here you go: [http://tinyurl.com/yatdzfsu](http://tinyurl.com/yatdzfsu)

I managed to root my 589 awhile back pretty easy by just using a crafted http
post request. I run my modem in IP passthrough mode (like DMZ), and as far as
I can tell, most of the open ports are not there that the article mentions (at
least not on the WAN side)

~~~
schraitle
I did something similar to a modem supplied by Cox to enable bridge mode a few
years ago. It required going to one of the modem settings pages, using browser
tools to uncomment some html in the source of one of the forms, and then just
submitting the form.

------
anonova
Another popular and flawed modem Arris released into the wild is the SB6190.
You can easily DoS it: [https://www.dslreports.com/shownews/Puma-6-Flaw-Lets-
Attacke...](https://www.dslreports.com/shownews/Puma-6-Flaw-Lets-Attackers-
Bog-Down-Impacted-Modems-Gateways-139486)

------
sjbase
> "There’s no way people are not exploiting this in the wild"

Hard to disagree there.

Does it really usually take 2 months for something like this to get disclosed?
Seems like anyone bored enough to run a SYN scan on one of these would find
the vulnerable services instantly.

