======================================== Inokii Security Advisory Inokii-ID: 2014-01 ======================================== Affected Product: ARRIS / Motorola SURFboard SBG6580 Series Wi-Fi Cable Modem Gateway Severity Rating: Important Impact: Username and password for the user interface as well as wireless network keys can be disclosed through SNMP. Description: The SBG6580 Cable Modem Gateway product specifications include SNMP v2 & v3 under Network Management. The management information bases (MIBs) of various device subsystems on the SBG6580 allows local network users to discover user interface credentials and wireless network key values through simple SNMP requests for the value of these variables. Given the security authentication in SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the risk that the values can be disclosed through SNMP using the default read-only community "public". The issue was confirmed in software version SBG6580-6.5.0.0-GA-00-226-NOSH. Object Identifiers (OIDs): 1. Cable Modem Gateway User Interface a. Username: 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 b. Password: 1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 2. Primary Wireless Network a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32 b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32 c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.32 d. WEP 64-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.32.4 e. WEP 128-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.32.4 3. Guest Wireless Network a. Network Name (SSID): 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33 b. WPA Pre-Shared Key: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.33 c. WEP PassPhrase: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.1.1.3.33 d. WEP 64-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.2.1.2.33.4 e. WEP 128-bit Network Keys * Key 1: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.1 * Key 2: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.2 * Key 3: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.3 * Key 4: 1.3.6.1.4.1.4413.2.2.2.1.5.4.2.3.1.2.33.4 A Metasploit Framework module, sbg6580_enum.rb, was created to demonstrate the information exposure. The module can be found under Inokii's fork of the Metasploit Framework. https://github.com/inokii/metasploit-framework Disclosure Timeline: 2014-04-01 Issue reported to vendor 2014-04-10 Contacted vendor to verify advisory was received 2014-04-15 Vendor acknowledged that the disclosure was reviewed and expected to have a response shortly. 2014-05-17 Public Disclosure Acknowledgments: Researched by Matthew Kienow of Inokii. Reference: http://www.arrisi.com/modems/datasheet/SBG6580/SBG6580_UserGuide.pdf Contact: Inokii is a group of security professionals working together on information security testing, research and training. Email: advisory@inokii.com Web: http://www.inokii.com Disclaimer: Inokii is not responsible for misuse of the information provided in our security advisories. The advisories are a service to the professional security community. The information provided in this advisory is provided "as is" without warranty of any kind. Inokii disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Inokii be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Inokii have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.