COMMAND

    CMX

SYSTEMS AFFECTED

    3COM CMX

PROBLEM

    Text below is no bug, but some kind of the security issue.  Enjoy.
    Signal 11 posted  following.  The  3Com external cablemodem  (CMX)
    allows the  upstream provider  to download  firmware updates  into
    your  cablemodem.   This  can  (and  usually  is) done without the
    user's  knowledge,  and  it  took  some  digging  to  uncover this
    "feature".   The  cable-modem  can  also  be  reprogrammed  via  a
    serial port in back.

    The ability  to download  firmware updates  remotely into  a cable
    modem is  a docsis  requirement (www.cablelabs.com).   The process
    is supposed to be  quite automatic and seamless  to the user.   It
    usually takes place  by the cable  operator forcing the  modems to
    re-register.  When a docsis  modem tries to register, it  sends an
    arp request which  the cmts (cable  modem termination system  i.e.
    cablerouter) forwards to a DHCP  server defined on the cmts.   The
    DHCP server replies with  an offer, cablemodem hopefully  gets it,
    then  it  asks  for  a  configuration  file  from  the tftp server
    (defined in the arp response).  The config file has a field  about
    the latest firmware  revision.  So,  if you can  fake out a  modem
    with  a  rougue  DHCP  server  and  provide your own configuration
    files, then you  might possible be  able to upload  rougue code to
    the modem.

    Cable operators are supposed to: assign private ip's to the modem,
    configure trusted ip's  for telnet access  (not all docsis  modems
    have telnet daemon), disable the serial interface.

    The modem authenticates the headend through the negotiation  phase
    of the boot process of the modem.  The modem scans the  downstream
    frequency channel  (usually >450mhz)  until it  finds a  6mhz wide
    QAM (256 or 64) signature.   Encoded within the QAM modulation  is
    the information for the upstream channels (channel ID, freq,  freq
    width, etc).   The modem  then ranges  with the  CMTS to configure
    the power  level.   Once the  modem is  ranges, it  goes through a
    DHCP/TFTP sequence.   The modem  then downloads  its configuration
    options from a file stored on a TFTP server.

SOLUTION

    The 3com  CMX has  a read  only serial  console.   Modems like the
    ubr900  series  (904  and  924)  contain  read/write consoles (but
    passwords may be set).   If you purchase the  modem from a  vendor
    (not your ISP), then there are  not any passwords.  If you  get it
    from your ISP (and they are  worth their salt), it will come  with
    a password on it.

    3COM has plenty of info about their cable modems on their site:

        http://www.3com.com/products/cablemodem/

    In fact, they even have the manuals

        http://consumer.3com.com/cable/manual/index.html

    This so called "firmware" is uploaded to your cable modem by  your
    Cable provider with the intent to provide you the latest  features
    or bug patches.   This procedure is  usually done via  SNMP.   So,
    one must be careful.