(link roto)
Details
The two issues described in this document affect the proper operation of cable modem systems. One issue results from historical behavior of cable modems not manufactured by Cisco. The other issue results from a defect in Cisco IOS Software running on a cable modem termination system (CMTS) that allows a cable modem to operate with an invalid configuration.
When a cable modem in a customer premises environment (CPE) initializes, it obtains a configuration file from the service provider's network using the Trivial File Transfer Protocol (TFTP) via a coaxial cable connection to the service provider's network. Historically, cable modems from other, non-Cisco manufacturers allow the configuration information to be downloaded via the device's Ethernet interface. By running a TFTP server on a customer premises computer and setting that computer's IP address equal to the service provider's TFTP server, a different configuration file can be downloaded to such a cable modem from the customer premises network.
The industry-standard Data Over Cable Service Interface Specification (DOCSIS) for cable modem configuration information includes a Message Integrity Check (MIC) based on a Message Digest 5 (MD5) hash of the contents of the configuration. MD5 is a one-way (non-invertible) hash—meaning that the input cannot be recovered from the output—and the output is considered unique for a specific input. If the MIC is not correct, the cable modem registration process fails and it will not be allowed to come on line. Publicly available tools exist to create a DOCSIS-compliant configuration, including a valid MIC. The cable shared-secret command in Cisco IOS Software configures a password that is included in the MD5 hash that produces the MIC; without the password, it is computationally infeasible to produce the correct matching MIC, and the cable modem is prevented from registering with the service provider's network.
If the shared secret is configured identically on all of the systems within a service provider's network and TFTP spoofing is possible as shown above, then other valid configurations containing different parameters for the same service provider network can be interchanged and downloaded to a cable modem. The modem will be allowed to come on line because the shared secret is the same. In addition, while the MD5 hash is non-invertible, the shared secret to compute it can be recovered from the CMTS router configuration. It can be protected by using the "service password-encryption" command in Cisco IOS Software, but the command uses "mode 7" encryption, which is considered adequate only for basic protection from casual viewing.
A defect in Cisco IOS Software for the uBR7200 and uBR7100 series Universal Broadband Routers causes the MD5 test to be skipped if an MIC is not provided in the DOCSIS configuration file. A DOCSIS configuration can be modified with a hex editor to truncate the file just before the MIC and adjust other fields to produce an invalid configuration file that will be accepted by the cable modem and the CMTS. When the cable modem attempts to register, a vulnerable CMTS fails to challenge the missing MIC and allows the cable modem to come on line. Using this vulnerability, the range of possible configurations is no longer restricted to a small alternative set for the same service provider; a completely custom configuration can be generated in which all of the options can be specified. This defect is documented as CSCdx72740, and details are available to registered users of the Cisco website.
The Cisco IOS Software configuration command cable tftp-enforce prohibits a cable modem from registering and coming on line if there is no matching TFTP traffic through the CMTS preceding the registration attempt. This feature has been introduced via CSCdx57688 and can be viewed by registered users of the Cisco website. This new command is available on the uBR10012 router as well as the uBR7200 and uBR7100 series.
Both the cable tftp-enforce command feature and the fix for the MD5 authentication bypass are necessary to properly mitigate these vulnerabilities, and Cisco is making fixed software available as shown below.
Some non-Cisco cable modems may be running older versions of software that save a local copy of the configuration information and use that cached copy at registration time instead of obtaining the actual file from a TFTP server. In addition to the possibility that the cable modem is not using the proper configuration information, the cable modem's user may be mistakenly accused of attempting theft of service.
Impact
These vulnerabilities can be exploited to commit theft of service. For example, an attacker could obtain a basic level of service from a service provider and then exploit these vulnerabilities to reconfigure the CPE cable modem to provide greater upstream and downstream data rates. Thus the attacker obtains premium service at a basic cost.
Removing limits on bandwidth could result in a denial of service or degradation of performance for other users of the same cable network segment.
Workarounds
There is no workaround for the MD5 bypass vulnerability. Customers are strongly encouraged to use the cable tftp-enforce command, deploy a shared-secret scheme and change the secret routinely, and monitor CMTS routers for evidence of tampering with bandwidth restrictions.
If the service provider has only one service profile, then the cable qos permission enforce command can be used to prevent cable modems from coming on line with a configuration containing any other service profile. This command is effective in all releases where it is supported.
The no cable qos permission modem command prevents a configuration with a new service profile from being created. This would restrict service theft to service profiles from known, pre-existing configuration files on the service provider's TFTP server, assuming the file names could be guessed and the server could be reached.
..........
