COMMAND

    HSMP

SYSTEMS AFFECTED

    Hybrid Network's cable modems

PROBLEM

    Following is  based on  KSR[T] Advisories  #012: Hybrid  Network's
    Cable.   Remote attackers  can anonymously  reconfigure any Hybrid
    Network's cable modem that is running  HSMP.  This can be used  to
    steal information and login/password pairs from cable modem users.

    Hybrid Network's cable  modems can be  configured via a  UDP based
    protocol  called  HSMP.   This  protocol  does  not  require   any
    authentication to  perform configuration  requests.   Since UDP is
    easily spoofed, configuration changes can made anonymously.  There
    are  a  plethora  of  denial  of  services  attacks  involving bad
    configuration settings (ethernet interfaces set to non-routable IP
    addresses, et al).   HSMP can also  be used to  configure the  DNS
    servers used by cable modem users, allowing attackers to  redirect
    cable  modem  subscribers  to  a  trojan  site.   More complex and
    theoretical  attacks  could  involve  the  running  of actual code
    through  the  debugging  interface.    This  might  allow   remote
    attackers to deploy ethernet sniffers on the cable modem.

    KSR[T] found this vulnerability in parallel with Paul S. Cosis
    and the l0pht.

    KSR[T] had initially written a demonstration HSMP client which  is
    located at:

        http://www.ksrt.org/ksrt-hsmp.tar.gz

    There is also another HSMP client located at:

        http://www.larsshack.org/sw/ccm/

    l0pht modified  the above  client and  added the  ability to spoof
    the source address, allowing for the anonymous reconfiguration  of
    Hybrid cable modems).  Their client is located at:

        http://c0re.l0pht.com/~sili/ccm-spoof.tar.gz

SOLUTION

    Cable providers should block out HSMP traffic (7777/udp) on  their
    firewalls.   Lars  Kellogg-Stedman  as  the  author  of  the above
    program, added following.  He brought this to RCN's attention back
    in April of 1999.   The RCN folks spoke  to the Hybrid folks,  but
    nothing  came  of  it.   (RCN  is  a  cable/cable  modem/telephone
    provider out  in here  in MA  [and elsewhere  in the  northeast].)
    After speaking with RCN about the problem, he was told that due to
    the configuration of their network, they were unable to  implement
    a  block  that  would  be  effective  against machines on the same
    cable segment.   In this case,  port blocking offers  only limited
    security -- even with HSMP  blocked at the organization level,  it
    may still be  possible to exploit  other security issues  and gain
    access to a machine on  your favorite local segment and  work from
    there.