usd-2021-0010 | Vodafone Station

Advisory ID: usd-2021-0010
Product: Vodafone Station
Affected Version: Firmware version: 01.02.068.11.EURO.SIP
Vulnerability Type: Improper Access Control
Security Risk: Medium (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Vendor URL: https://www.vodafone.de/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed

Description

The Vodafone Station is a home Internet router distributed by Vodafone GmbH and manufactured by ARRIS Group, Inc. A broken access control vulnerability in the management web interface of the Vodafone Station allowed an attacker with access to the router's network to disable the Transport Layer Security (TLS) encryption used for communication between the router's web interface and a web browser without authentication. As a consequence, the management interface could not be reached using an encrypted connection anymore, forcing a legitimate user to use the unencrypted protocol. This means that data, such as user credentials, must be transferred without encryption and therefore can be intercepted within the network.

Proof of Concept

The request for disabling TLS-encrypted communication can be triggered using a simple curl command. To disable the TLS encryption for the router's web interface, the value HttpsEnable needs to be set to false. The request will be answered using the string "PASS". For a router having the IP address 192.168.0.1 the requests looks as follows:

$ curl 'http://192.168.0.1/php/ajaxSet_settings_device_data.php?_n=12354' --data-raw '{"LedEnable":"false","HttpsEnable":"false","Action_Select":"storeDeviceData"}'
"PASS"

Fix

It is recommended to restrict access to sensitive functions or information by default. Required access privileges should be granted explicitly by a global access control mechanism. This is already implemented for most parts of the application and was adjusted for this functionality as well.

Timeline

  • 2021-03-31: First contact request via https://www.vodafone.de/unternehmen/sicher-im-dialog.html
  • 2021-04-26: Second contact request via responsible.disclosure@vodafone.com
  • 2021-04-26: Investigation started by vendor.
  • 2021-06-04: Vendor confirms vulnerability and informs us about ongoing process to "develop, test and deploy a fix". Further, the vendor requests to delay publication until all affected devices received a fix.
  • 2022-01-20: Vendor claims: "The deployment of a fix is ongoing and a full rollout is expected within the next two months. Approximately 50% of devices currently have the fixed firmware. This includes all of our WiFi 6 moodel devices."
  • 2022-05-09: Status update requested.
  • 2022-05-19: Vendor confirms remediation.
  • 2022-06-14: This advisory is published.

Credits

This security vulnerability was identified by Christian Rellmann of usd AG.