CVE-2018-20383 in DG950A
Summary
by MITRE
ARRIS DG950A 7.10.145 and DG950S 7.10.145.EURO devices allow remote attackers to discover credentials via iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 SNMP requests.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/23/2020
The vulnerability identified as CVE-2018-20383 affects ARRIS DG950A and DG950S residential gateway devices running firmware versions 7.10.145 and 7.10.145.EURO respectively. This issue represents a critical information disclosure flaw that enables remote attackers to extract sensitive authentication credentials through Simple Network Management Protocol (SNMP) queries. The affected devices expose SNMP MIB (Management Information Base) objects that contain credential information, specifically targeting the iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 OID paths which correspond to administrative credentials and possibly other sensitive configuration data.
The technical implementation of this vulnerability stems from improper SNMP configuration within the affected ARRIS devices where sensitive credential information is stored in accessible MIB objects without adequate access controls or authentication mechanisms. These MIB objects are part of the device's SNMP management interface and are designed to provide system information to network management tools. However, in this case, the implementation fails to properly secure sensitive data, allowing unauthenticated remote attackers to retrieve administrative passwords and other credentials through standard SNMP GET operations. This represents a classic violation of the principle of least privilege and demonstrates poor secure coding practices in network device firmware development.
The operational impact of this vulnerability is severe as it provides attackers with direct access to administrative credentials that can be used to gain full control over the affected devices. Once credentials are obtained, attackers can modify device configurations, disable security features, redirect traffic, or establish persistent backdoors within the network infrastructure. This vulnerability particularly affects residential gateways that serve as the primary network access point for home and small office networks, potentially enabling attackers to compromise entire local networks. The remote nature of the attack means that adversaries do not require physical access to the device or network proximity, making the exploitation surface extremely broad and accessible.
From a cybersecurity framework perspective, this vulnerability maps directly to CWE-200 (Information Disclosure) and CWE-312 (Sensitive Data Exposure) categories within the Common Weakness Enumeration system. The attack vector aligns with ATT&CK technique T1071.004 (Application Layer Protocol: DNS) and T1078.004 (Valid Accounts: Cloud Accounts) when considering the potential for credential misuse. Organizations should immediately implement network segmentation to isolate these devices from critical network segments, disable unnecessary SNMP services where possible, and apply firmware updates from ARRIS as soon as they become available. Network monitoring should be enhanced to detect unusual SNMP traffic patterns, and access controls should be implemented to restrict SNMP access to authorized management systems only. The vulnerability also underscores the importance of conducting regular security assessments of network infrastructure devices and implementing robust patch management processes to address similar issues in the future.