A high-severity flaw in the Verizon Fios Quantum Gateway, used in millions of U.S. homes, could allow for command injection.

UPDATE

Three vulnerabilities have been discovered in the Verizon Fios Quantum Gateway which, when exploited together, could give an attacker complete control of a victim’s network. The device is used by millions of Verizon home customers and functions as a home’s wireless router and digital gateway.

Researchers with Tenable, who disclosed the flaw on Tuesday, said the worst of these flaws is an authenticated remote command injection glitch in the gateway’s API backend. The vulnerability (CVE-2019-3914) has a CVSS severity score of 8.5, making it high-severity. Command injection attacks are possible when an application passes unsafe user supplied data (such as forms or HTTP headers) to a system shell.

After exploiting the vulnerabilities, “an attacker could tamper with the security settings of the device, change firewall rules or remove parental controls,” researchers said. “They could sniff network traffic to further compromise a victim’s online accounts, steal bank details and swipe passwords.”

The vulnerabilities exist in the API backend of the Verizon Fios Quantum Gateway (G1100), which supports the administrative web interface.

“This type of attack is feasible for an attacker with an intermediate level of skill,” Chris Lyne, senior research engineer at Tenable, told Threatpost. “The remote command injection does require the attacker to either know the administrative password or have captured and replayed a previous login request. If remote administration is enabled on the router, the attack can be carried out from anywhere with an internet connection.”

Specifically, while looking at Access Control rules in the Firewall settings of the API backend, Lyne discovered that the vulnerability could be triggered by adding a firewall access control rule for a network object with a crafted hostname.

An attacker must be authenticated to the device’s administrative web application in order to perform the command injection: “In most cases, the vulnerability can only be exploited by attackers with local network access,” said Lyne. “However, an internet-based attack is feasible if remote administration is enabled; it is disabled by default.”

Once he realized that he could inject a command, Lyne then looked for ways to carry out further malicious attacks, such as stealing passwords. That’s when Lyne found that Verizon Fios Quantum Gateway has a second (CVE-2019-3915, with a CVSS score of 6.9) and third (CVE-2019-3916, with a CVSS score of 4.3) vulnerability.

Essentially these flaws exist because the firmware does not enforce the use of HTTPS, so it is possible for an attacker to capture a login request, which contains a salted password hash (SHA-512).

While Lyne did not detail the full exploit for these flaws, he said that CVE-2019-3915 exists because HTTPS is not enforced in the web administration interface, so an attacker on the local network segment could intercept login requests using a packet sniffer.

“These requests can be replayed to give the attacker admin access to the web interface,” said Lyne. “From here, the attacker could exploit CVE-2019-3914.”

They could then take advantage of CVE-2019-3916, a password salt disclosure flaw, which allows an unauthenticated attacker to retrieve the value of the password salt by simply visiting a URL in a web browser.

From there, an attacker could then perform an offline dictionary attack to recover the original password. A dictionary attack is a brute force technique used for defeating an authentication mechanism by trying hundreds likely possibilities (such as words in a dictionary) to determine the decryption key.

“Security at Verizon is a top priority,” a Verizon spokesperson told Threatpost. “We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100. As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches. We have no evidence of abuse and there is no action required of our consumers.”

Tenable told Threatpost they disclosed the flaws to Verizon on Dec. 11, 2018. Verizon released patched on March 13, 2019, and are in the process of auto-updating all impacted devices – however, a “small fraction devices” still remain vulnerable.

“However, they’ve since advised that they are still working to push auto updates to a small fraction of devices,” Lyne told Threatpost. “Users are urged to confirm that their router is updated to version 02.02.00.13, and if not, contact Verizon for more information.”

Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.

A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.

This story was updated on April 9 at 10:30 a.m. with a comment from Verizon.