An unpatched vulnerability in the Arris router could give complete remote code execution access to a cybercriminal.
In response to a researcher’s query regarding the patch, the telecommunications equipment company stated that the devices impacted by the vulnerability were no longer supported by the company.
The end-of-life (EOL) devices may not receive any further updates despite their ongoing usage, posing a risk to the users. The vulnerability in the Arris router was CVE-2022-45701, which impacted firmware version 9.1.103. SGB10, remains listed on the official website.
Details about vulnerability in Arris router
The models impacted by this vulnerability are SBG10, TG2482A, and TG2492, which are in common usage in Latin America and the Caribbean, according to the researcher Yerodin Richards who found the flaw.
The Arris router vulnerability can lead to authenticated remote code execution, which depends on login credentials to gain access to a system.
A hacker who finds a user who hasn’t changed the default router credentials and uses them may successfully run codes on the hacked system.
The credentials in transit were not secured by the “https” setting, adding to the unsafe usage of the Arris router. It was further pointed out that internet service providers often suggest these types of routers to customers.
Software, including Microsoft Windows XP, Mozilla Firefox, Adobe Flash, Java 6, etc., are long placed in the EOL list. However, users across the globe continue to use them for their simplicity and productivity, besides lower cost.
Preventive measures for the vulnerability in Arris router
Cybersecurity experts urge users to start by using a stronger password that can create a major, but not a permanent, roadblock for cybercriminals. Because they can still access the unprotected traffic with the password or gain access by exploiting the browser.
Changing firmware is also an option, and advanced engineers or researchers may use the root shell and patch the vulnerability.
Richards tested certain possible options to have shell script command injection. While he first found that it accepted $, it was later derived that it would be neutralized when paired with $(.
He was able to add a netcat reverse tcp shellcode to get a shell. Inputting $\(), led to setting $() which was preventable by neutralizing $ or ( individually, Malwarebytes noted.