In all of the cases, the devices allow the extraction of user authentication data via the read-only community string of public information.
Rapid7 researchers Matthew Kienow and Deral Heiland were performing a casual investigation of public information revealed by SNMP on embedded appliances for a talk at CarolinaCon. They found that most devices exposed information via SNMP but that it would be classified as benign or public. But for the Brocade load-balancer and certain home routers/modems from Ubee and Motorola, the information can be used to wreak havoc for users.
While exploits haven’t been developed (yet) to the security community’s knowledge, Metasploit auxiliary modules have already been developed for extraction of data from the devices.
The Brocade ServerIron ADX 1016-2-PREM, TrafficWork Version 12.5.00T403 application load balancer stores username and passwords hashes within the SNMP MIB tables at the certain OID Indexes. Moreover, it has SNMP enabled by default, and the community string “public" is configured by default. Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute-force attack.
On the consumer front, Ubee’s Ambit U10C019 and Ubee DDW3611 series of cable modems store user names and passwords along with security IDs and the SSIDs for the devices within the SNMP MIB tables. While SNMP is not enabled on these devices by default, a number of cable providers that utilize Ubee devices enable SNMP with the community string of "public" on the uplink side of the cable modem for remote management purposes, making in possible in those cases to access the data over the Internet.
Meanwhile, Rapid7 said that Motorola’s Netopia 3347 series of DSL modems store security keys and the SSIDs within the SNMP MIB tables, and SNMP is enabled by default with the community string of “public” on the internal interface of this product. The DSL side is not enabled by default, but as with the other modems, a number of DSL providers that still utilize the Netopia 3347 series devices enable SNMP with community string of public on the uplink side of the DSL for remote management purposes, also making in possible in those cases to access the data over the internet.
The modems are rather common, too: Rapid7 discovered there to be 229,409 Ubee/Ambit devices exposed to the Internet, and 224,544 of the Netopia devices. Out of those, 187,000 appear to be in the United States. These are end-of-life devices, which means that the chances of firmware updates to address the insecure defaults are not likely to appear.
“For the modem/routers, you might have one of these at a remote office, warehouse, guest Wi-Fi network, water treatment plant, etc.,” the researchers wrote in an analysis. “They are quite common in office and industrial environments where IT doesn't have a strong presence.”
While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, “the fact remains that these issues can be exploited to gain access to sensitive information,” the wrote. “In practice, the low-hanging fruit are often picked first.”