Researchers have found, three security vulnerabilities in Verizon Fios Quantum Gateway routers allowed a potential attacker to take full control of the devices.
Tenable Research found three vulnerabilities in Verizon’s Fios Quantum Gateway routers namely CVE-2019-3914, CVE-2019-3915, CVE-2019-3916, which are supplied to almost every new Verizon Fios customer, while IBM Security researcher Grzegorz Wypych found a zero-day flaw in the TP-Link WR-940.
Fios Quantum Gateway (G1100) enabled an adversary to run commands on the system with the highest privileges, allowed login replay attacks and disclosed the data used for salting the password hash.
Researchers with Tenable, who disclosed the flaw on Tuesday, said the worst of these flaws is an authenticated remote command injection glitch in the gateway’s API backend.
The vulnerability CVE-2019-3914 has a CVSS severity score of 8.5, making it high-severity. Command injection attacks are possible when an application passes unsafe user-supplied data (such as forms or HTTP headers) to a system shell.
CVE-2019-3915 can allow login replay. Essentially, HTTPS is not enforced in the web admin interface so an attacker residing on the local network can intercept login requests using a packet sniffer and then replay them, giving the malicious actor admin access. This can then be used to exploit CVE-2019-3914.
The last issue, CVE-2019-3916, is a password salt disclosure. The enabling factor here is the fact that the firmware does not enforce the use of HTTPS, just like the previous vulnerability. In this case. the attacker can sniff the login request, which contains a salted password hash (SHA-512), allowing the attacker to perform an offline dictionary attack to recover the original password.
“Security at Verizon is a top priority. We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100. As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches. We have no evidence of abuse and there is no action required of our consumers.“