On Friday, December 21, 2018, our honeypots observed an interesting scan consisting of a GET request for /get_getnetworkconf.cgi. Upon further investigation, we found this traffic was targeting Orange Livebox ADSL modems. A flaw exists in these modems that allow remote unauthenticated users to obtain the device’s SSID and WiFi password.
To assess the amount of devices vulnerable to this flaw, we obtained a list of Orange Livebox modems from Shodan.
Of the 30,063 IPv4 hosts found, our scans revealed:
- 19,490 leaking their WiFi credentials (SSID/password) in plaintext
- 2,018 not leaking any information, but still exposed to the internet
- 8,391 not responding to our scans
Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default “admin/admin” credentials are still applied.
This allows allow any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.
Unsurprisingly, the vast majority of affected devices were found to be on the network of Orange Espana (AS12479).
Initial scan source
The initial scan detected by our honeypots came from 18.104.22.168 which is an IP address associated to a Telefonica Spain customer. While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems than say a threat actor in another country. This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.
Due to the sensitive nature of this flaw, the IP addresses of affected Orange Livebox ADSL modems will not be published publicly, however is freely available for law enforcement and CERT teams to review. We’ve shared our findings directly with Orange Espana, Orange-CERT, and CCN-CERT for further investigation and remediation.
Update 4:00 AM PT: Orange-CERT has acknowledged our report and is investigating further.
Update 6:00 PM PT: CVE-2018-20377 has been assigned for the flaw described in this post.
Update 2018-12-25: These Orange Livebox Arcadyan ARV7519 modem firmware versions appear to be patched against the “/get_getnetworkconf.cgi” flaw that leaks WiFi credentials:
These versions are not and are vulnerable to CVE-2018-20377:
Prior to December 25, over 19,000 Orange Livebox Arcadyan ARV7519 modems were vulnerable to CVE-2018-20377.
— Bad Packets Report (@bad_packets) December 29, 2018