Updated A vulnerability in Broadcom's cable modem firmware has left as many as 200 million home broadband gateways in Europe, and potentially more worldwide, at risk of remote hijackings.

Four Danish researchers have demonstrated how a miscreant could exploit the hole, CVE-2019-19494, the wild: essentially, a victim is tricked into opening a webpage or similar containing malicious JavaScript. This code subsequently connects to the web server built into the vulnerable modem on the local network. The script then alters the contents of the modem's processor registers, by overwriting the stack, to redirect execution to malware smuggled in with the request.

At that point, the code can attempt miscreant-in-the-middle attacks, manipulate the firmware, change DNS settings to redirect connections to phishing pages, snoop on traffic, launch distributed denial-of-service assaults, and so on. A DNS rebinding technique is needed during the infection to bypass browser security mechanisms. This involves the script connecting to what the browser thinks is a legit internet-facing system, but the address actually resolves to the local IP address for the modem.

The end result, the team says, is that crooks can remotely take over vulnerable Broadcom-based cable modems without netizens or ISPs realizing; the victim simply has to surf to a dodgy website, or similar. The method is a little fiddly to pull off, we note, so crooks may not bother with it.

Dubbed Cable Haunt, and accompanied with a logo, for marketing purposes, the flaw was found by Alexander Dalsgaard Krog, Jens Hegner Stærmose, and Kasper Kohsel Terndrup from security company Lyrebirds, along with indie researcher Simon Vandel Sillesen.

"The attack can be executed by having the victim run malicious JavaScript," the team explained. "A common avenue of attack would be a link that is opened in a browser, but could for example, also be done through ads on a trusted website or insecure email clients."

The modem's spectrum analyzer tool, which is part of the Broadcom-supplied stack, is exploited as part of the attack to gain code execution: a specially crafted JSON payload sent to the software can overwrite the CPU registers, leading to arbitrary memory manipulation and code execution.

Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity services arm READ MORE

At this point, it's game over for the modem. An attacker can do pretty much anything they want.

The team said the vulnerability affects cable modems using chipset designer Broadcom's software running on the open-source Embedded Configurable Operating System (eCos), and fear that in Europe alone as many as 200 million modems may be vulnerable, though they are not certain.

"The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware," the crew explained. "This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers."

Broadcom has yet to respond to a request for comment on the report. You can find a list of known affected broadband gateway models here. ®

Updated to add

A spokesperson for Broadcom told us on Monday: "We have made the relevant fix to the reference code and this fix was made available to customers in May 2019."

We asked Broadcom whether this update was widely deployed. The Cable Haunt team were able to compromise a bunch of Sagemcom, Netgear, Technicolor, and Compal models shipping to broadband subscribers, we note. Broadcom declined to comment.

We also asked the researchers whether the chip slinger's fix in May last year fully addressed the discovered vulnerability. They told us:

We have heard from Broadcom that they updated their reference software around that time, and we have no reason to believe otherwise. However we do not have access to this code or the previous version. We have only been able to see the binary firmware which the manufacturers deploy, so we can not confirm it. Due to the nature of reference software, is not necessarily easily forwarded to the manufacturers, and we have no way of knowing for sure, if a manufacturer updated with the reference software or of their own accord. We have not been able to get any worthwhile estimates of the units actually affected worldwide, however we are getting hundreds of emails from users reporting their modem vulnerable, and are constantly updating our website with this information.

ISPs TDC and Stofa in Denmark, Get AS and Telia in Norway, Com Hem / Tele2 in Sweden, and NetCologne / NetAachen in Germany are said to have pushed or are in the process of pushing necessary security fixes to their cable modems, or their equipment is not affected because it doesn't use Broadcom's tech.