ARRIS (formerly Motorola) SURFboard 6141 broadband cable modems, with the
latest firmware deployed by Time Warner Cable, have a LAN-side web UI with
a fixed IP address, that does not require authentication, and a cross site
request forgery vulnerability through which it is possible to reboot the
modem with one click.

It is also possible to factory reset the modem with a simple
unauthenticated URL. This causes a longer outage while the modem
renegotiates with the ISP - which can in certain cases even require calling
the ISP to initiate the reactivation.

The vendor describes the SB6141 as the "#1 selling modem," with over 135
million units sold. However, MITRE informed me that this product line is
current not in scope for CVE assignment, so there is no CVE identifier for
these vulnerabilities.

The following proof of concept website includes the reboot command as the
src attribute to an img tag. As such, VISITING THIS POC LINK WILL REBOOT
THE LOCAL CABLE MODEM:

http://RebootMyModem.net

Caveats: this flaw affects the consumer-oriented, LAN-side administrative
interface, which only supplies diagnostic data and logs, along with reboot
and factory reset functions. This is NOT the ISP-oriented, WAN-side
interface. This has been demonstrated on a SURFboard 6141 modem running
SB_KOMODO-1.0.6.14-SCM01-NOSH, the current firmware deployed to Time Warner
Cable customers. Other models and other ISPs may or may not have the same
design flaw.

Details, screen shots of the UI as it is intended to be used, suggested
iptables rules to limit exposure, and a complete disclosure timeline are at
the following link (without exploitation):

http://www.securityforrealpeople.com/rebootmymodem


Regards,
David Longenecker

Connect: Blog <http://securityforrealpeople.com/> | @dnlongen
<https://www.twitter.com/dnlongen> | LinkedIn
<https://www.linkedin.com/in/dnlongen/>
PGP key: https://keybase.io/dnlongen