Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials

On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.

curl request to an affected Orange Livebox ADSL modem
A simple GET request to “/get_getnetworkconf.cgi” will reveal the Orange Livebox modem’s WiFi credentials in plaintext.

To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.

Of the 30,063 IPv4 hosts found, our scans revealed:

  • 19,490 leaking their WiFi credentials (SSID/password) in plaintext
  • 2,018 not leaking any information, but still exposed to the internet
  • 8,391 not responding to our scans

Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.

Example Livebox modem status page
Poorly secured Livebox modems enable remote users to view the customer’s phone number, the name/MAC address of all connected clients, and more.

This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.

Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).

Total affected Livebox modems

Initial scan source

The initial scan for Orange Livebox modems came from 81.38.86.204

The initial scan detected by our honeypots came from 81.38.86.204 which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.

Closing remarks

Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.

Update 4:00 AM PT: Orange-CERT has acknowledged our report and is investigating further.

Update 6:00 PM PT: CVE-2018-20377 has been assigned for the flaw described in this post.

Update 2018-12-25: These Orange Livebox Arcadyan ARV7519 modem firmware versions appear to be patched against the “/get_getnetworkconf.cgi” flaw that leaks WiFi credentials:

  • 00.96.00.96.713D
  • 00.96.00.96.613E
  • 00.96.807
  • 00.96.322

These versions are not and are vulnerable to CVE-2018-20377:

  • 00.96.00.96.613
  • 00.96.00.96.609ES
  • 00.96.321S
  • 00.96.217

Update 2018-12-29: Nearly 15,000 Orange Livebox Arcadyan ARV7519 modems have been patched against CVE-2018-20377.

9 Replies to “Over 19,000 Orange Livebox ADSL modems are leaking their WiFi credentials”

  1. From my recent testing, the WAN side is blocked by firewall ACL, so you will NOT get able to get information remotely. Therefore any attack is useless.

    I bet the screenshots in this page where taken by connexting locally (which is not an attack).

    I don’t see any risk here, neither nothing exploitable. The router remains protected.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.