Millions of Verizon routers are affected by a command injection flaw that could allow an attacker to gain full control of the device. The flaw affects Fios Quantum Gateway routers and is one of three vulnerabilities that have been addressed by Verizon in the latest version of its firmware.
The most serious flaw, tracked as CVE-2019-3914, has been assigned a CVSS v3 base score of 8.5 and affects the API backend of the router. If exploited, an unauthenticated individual could run arbitrary commands on a vulnerable router with root privileges. The attacker could also see what devices are connected to the router. An attack could be carried out remotely if remote administration is enabled on the router.
To exploit the flaw, an attacker would have to add an access control rule with a crafted host name on the router. The flaw is not easy to exploit as it would first be necessary to obtain credentials for the router’s web interface.
To do that, physical access to the device would be required. The login information is printed on the routers. An alternative method of attack would be to use phishing or social engineering methods to fool a user into disclosing their credentials, such as by pretending to be a member of the Verizon tech support team.
Once access to the router is gained, an attacker could change the security settings and firewall rules. It would also be possible to intercept network traffic and obtain sensitive information, such as online banking credentials.
The vulnerability is one of three flaws that were discovered by researchers at Tenable in December 2018. The other vulnerabilities are CVE-2019-3915 and CVE-2019-3916, which have CVSS v3 scores of 6.5 and 4.3 respectively.
CVE-2019-3915 could be exploited to intercept login requests using a packet sniffer, which could be replayed to give an attacker access to the web interface. That would allow CVE-2019-3914 to be exploited.
Once access to the router is gained, CVE-2019-3916 could be exploited, which is a password salt disclosure flaw. The attacker could obtain the value of the password salt by visiting a URL in a web browser and could then conduct a dictionary attack to determine the decryption key.
All of the vulnerabilities were patched on March 13, 2019 but some routers are still vulnerable. Verizon is now pushing the firmware update out to all vulnerable devices.
Users of the routers have been advised to check that their router is running the latest version of the firmware – 02.02.00.13 – and to get in touch with Verizon support if their router is running an earlier version of the firmware.