CVE-2017-10793 in U-verse
Summary
by MITRE
The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, and unspecified other devices, when IP Passthrough mode is not used, configures an sbdc.ha WAN TCP service on port 61001 with the bdctest account and the bdctest password, which allows remote attackers to obtain sensitive information (such as the Wi-Fi password) by leveraging knowledge of a hardware identifier, related to the Bulk Data Collection (BDC) mechanism defined in Broadband Forum technical reports.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/10/2021
The vulnerability identified as CVE-2017-10793 affects AT&T U-verse routers running firmware version 9.2.2h0d83 on devices including the Arris NVG589 and NVG599 models. This security flaw stems from improper configuration of the Bulk Data Collection (BDC) mechanism within the router's WAN TCP service implementation. The vulnerability specifically manifests when the router operates in its default configuration without IP Passthrough mode, creating an unintended attack surface that exposes sensitive network information to remote adversaries.
The technical flaw involves the automatic provisioning of a service endpoint on TCP port 61001 that utilizes the sbdc.ha account with the hardcoded bdctest password. This configuration represents a classic security misconfiguration where default credentials are left unchanged and accessible to remote attackers. The vulnerability is particularly concerning because it leverages the Broadband Forum's BDC mechanism, which is designed for legitimate network management purposes but becomes exploitable when improperly implemented. The attack vector requires knowledge of a hardware identifier, suggesting that the service is tied to specific device identifiers rather than being completely open to any network entity.
The operational impact of this vulnerability extends beyond simple credential exposure, as the BDC mechanism is designed to collect and transmit various network statistics and configuration data. Remote attackers who can reach the vulnerable port 61001 can potentially extract sensitive information including Wi-Fi passwords, network configuration parameters, and other proprietary data that could be used for further exploitation. This vulnerability enables attackers to perform reconnaissance and establish persistence within the network, as the extracted credentials could be used to access other network resources or maintain long-term access to the compromised device. The exposure of Wi-Fi passwords specifically creates a significant risk for network confidentiality and integrity.
The vulnerability aligns with CWE-798, which addresses the use of hardcoded credentials, and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to T1079 (Multilayered Attack) and T1046 (Network Service Scanning) as attackers can discover and exploit the service to gather intelligence about the network. The issue also relates to T1531 (Account Access Removal) and T1083 (File and Directory Discovery) as the compromised credentials could enable further lateral movement within the network. Organizations should implement network segmentation to isolate affected devices, disable unnecessary services, and ensure that all firmware updates are applied promptly to address this vulnerability. Additionally, regular network scanning should be conducted to identify devices running vulnerable firmware versions, and access controls should be implemented to restrict unauthorized network access to these critical endpoints.