A flaw in Orange Livebox ADSL modems allows remote, unauthenticated users to obtain the device’s SSID and WiFi password with a simple GET request.
Troy Mursch at Bad Packets said that the company’s honeypots observed a GET request scan right before Christmas targeting the modems, which are used to provide home internet service by Orange Espana in Spain. Further investigation showed that the flaw (CVE-2018-20377) allows a GET request to “/get_getnetworkconf.cgi” to return the Orange Livebox modem’s WiFi credentials in plaintext.
Mursch referred the issue to Orange Espana, Orange-CERT and CCN-CERT for further investigation and remediation – Orange-CERT said that it was looking into it.
In a query to the Shodan internet of things search engine, 19,490 Orange Livebox modems were found to be leaking their WiFi credentials in plaintext. Worse, many of these are using the same password to administer the device (password reuse); and, more than a handful are using the factory default passwords, according to Bad Packets.
Once an attacker has the WiFi information, he or she can easily access the device and maliciously modify the device settings or firmware.
“Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients … and conduct other serious exploits detailed in this Github repository,” Mursch wrote in a post this week.
Further, the initial scan detected by the Bad Packets honeypots came from an IP address belonging to a Telefonica Spain customer, indicating that particular presumed attacker would be local.
“While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country,” Mursch said. “This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.”
Orange Livebox Arcadyan ARV7519 modem firmware versions 00.96.00.96.613, 00.96.00.96.609ES, 00.96.321S and 00.96.217 are affected by the flaw; 00.96.00.96.613E is immune, according to Bad Packets.