Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities

Tenable Research discovered multiple vulnerabilities in Verizon’s Fios Quantum Gateway routers.

Background

Tenable Research has discovered multiple vulnerabilities in the Verizon Fios Quantum Gateway (G1100) router. Verizon has released firmware version 02.02.00.13 to fix these vulnerabilities.

Analysis

There is a sticker on the side of the routers. Each customer is given a different Wireless network name, Wireless password, and Administrator password. These vulnerabilities are focused around the Administrator password, not the password you use to connect to the Wi-Fi. The Administrator password is there for the Verizon customer to log into the router to perform various tasks that define the network. The vulnerabilities include:

CVE-2019-3914 - Authenticated Remote Command Injection

This vulnerability can be triggered by adding a firewall access control rule for a network object with a crafted hostname. An attacker must be authenticated to the device's administrative web application in order to perform the command injection. In most cases, the vulnerability can only be exploited by attackers with local network access. However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.

CVE-2019-3915 - Login Replay

Because HTTPS is not enforced in the web administration interface, an attacker on the local network segment can intercept login requests using a packet sniffer. These requests can be replayed to give the attacker admin access to the web interface. From here, the attacker could exploit CVE-2019-3914.

CVE-2019-3916 - Password Salt Disclosure

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser. Given that the firmware does not enforce the use of HTTPS, it is feasible for an attacker to capture (sniff) a login request. The login request contains a salted password hash (SHA-512), so the attacker could then perform an offline dictionary attack to recover the original password.

Impact

These routers are supplied to all new Verizon Fios customers unless they elect to use their own router, which isn’t very common. Tenable researcher Chris Lyne has outlined several potential attack scenarios for these vulnerabilities.

Scenario 1: Rebellious teen (insider threat)

CVE-2019-3915 - Login Replay

Let's assume the Verizon customer is a parent of a teenager. The teenager wants to circumvent parental controls, as teens are wont to do. Let's assume the parent is smart and has changed the Administrator password for the router. The teen can’t just use the credentials on the sticker to log into the administrative interface and change the parental controls. They have to try something else.

It's safe to say that a concerned parent would log into the router from time to time to check whether the teen has tried to flout the parental controls. Because HTTPS is not enforced in the web browser, a clever teen could perform packet sniffing and record the parent’s login. After recording the login sequence, the teen could then replay the login to gain access to the router's administrative interface (CVE-2019-3915). At this point, he or she could change the parental controls, delete evidence of misbehavior, etc.

Scenario 2: The house guest who never left (insider threat, remote attack)

CVE-2019-3914 - Authenticated Remote Command Injection

People have house guests over all the time - family members, friends, friends of friends, or maybe even AirBNB guests. Often, you'll give your guests your Wi-Fi password (WPA2 key) to allow them to use your internet connection.

So, the house guest is physically in your home and has connected to your Wi-Fi. The house guest can determine your public IP address by visiting https://www.whatismyip.com/ on their mobile device. They could also take a photo of the credential sticker on the Verizon Fios Quantum Gateway router.

Using this information, the house guest could do either of the following:

1. Log into the router's administrative web interface to enable Remote Administration.
2. Hope that Remote Administration is already enabled. (A Shodan.io search shows 15,323 Verizon routers with Remote Administration enabled.)

After the house guest leaves, he or she can exploit CVE-2019-3914 remotely, from across the internet, to gain remote root shell access to the router's underlying operating system. From here, the house guest has control of the network. The attacker can create back doors, record sensitive internet transactions, pivot to other devices, etc.

Scenario 3: Verizon tech support social engineering (remote attack)

CVE-2019-3914 - Authenticated Remote Command Injection

Social engineering attacks aren’t just about phishing campaigns and data breaches due to untrained employees. They happen against “average” consumers all the time, too. It is entirely possible that a malicious actor would perform social engineering by masquerading as a Verizon tech support employee.

In this scenario, the attacker, posing as a customer support employee, calls a Verizon customer (victim) and pretends there is some sort of an issue with their Verizon Fios service. The attacker asks the customer for his/her Administrator password on the side of the router and to log into the router's admin web interface. At this point, the attacker could ask for the Public IP address which is conveniently displayed immediately after logging in. Also, the attacker would ask the victim to enable Remote Administration.

With this information, the attacker can exploit CVE-2019-3914 remotely, with the same outcome as Scenario 2.

Solution

Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information. It is recommended that users keep remote administration disabled.

Additional information

• Visit the Tenable Tech Blog on Medium to read researcher Chris Lyne’s in-depth story about his work uncovering these vulnerabilities
• Tenable Advisory

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.