Discovered by a researcher in December, none of the three flaws offers hackers a simple remote knock-out but they’re still vulnerabilities every owner will want patched as soon as possible.
At first glance, the most alarming is CVE-2019-3914, an authenticated command injection weakness which Tenable says can be “exploited remotely to achieve command execution with root privileges.”
However, read a bit further and an important qualification jumps out:
An attacker must be authenticated to the device’s administrative web application in order to perform the command injection.
This would only give an attacker a way in via local access (i.e. from within the network), or where remote admin is turned on (which by default it isn’t).
How might an attacker get local access? Assuming the web management interface and Wi-Fi have been secured (each G1100 ships with a unique password), another route would be by exploiting the second flaw uncovered, identified as CVE-2019-3915.
Described as a login replay flaw, an attacker could sniff login requests by capturing the “POSTed” SHA-512 password, replaying it to gain access to the router. This is a basic flaw but, again, requires local access.
Tenable blames the fact the router doesn’t enforce HTTPS for management sessions although, in fairness, precious few domestic routers do this because it’s seen as overkill for internal access.
The final issue is CVE-2019-3916, through which…
An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser.
They’d still need to access to the SHA-512 password, which in this case Tenable suggests could be achieved through a dictionary attack against the revealed, salted hash. This might be tricky unless users have changed the secure default supplied with the router to something weaker.
Am I affected?
The FiOS Quantum Gateway (G1100) was launched in 2014 and is probably sitting in large numbers of homes and small businesses in the US that subscribe to Verizon’s fibre broadband. If you use this service, there’s a good chance you’re part of this population.
The router is based on Greenwave Systems’ AXON Platform, which worked with Verizon on the update.
What to do?
No advisory was issued, but according to Verizon, affected FiOS Quantum Gateways should have been remotely updated to a new firmware version, 02.02.00.13, on 13 March.
The firmware version can be checked by logging into the router (type
192.168.1.1 into a browser address bar and enter the admin password printed on the label stuck to the side of the device plus the user name
admin) and clicking on System Monitoring in the menu. The firmware version should be visible on this page.
As noted, the update should have been applied automatically without the user needing to do anything. However, Verizon thinks there are still a “small percentage” of users who need an update, possibly because their routers were turned off and unreachable.
A second check is to ensure that the remote admin is disabled, which stops the first of the three flaws from being remotely exploited.
This can be checked via the Firewall tab on the router’s management GUI (see page 106 in this user guide).