A flaw in Orange LiveBox ADSL modems permits a hacker to retrieve their SSID and WiFi password in plaintext by sending a request over the internet.
The honeypots at Bad Packets observed a scan, which upon further investigation found a traffic that targeted the Orange devices. According to the co-founder of the Company, Troy Mursch the attackers were leaking the local network access details.
They obtained a list of LiveBox modems available on the internet using Shodan and Mursch found that 19,490 of them exposed the info in plain text via a GET request for /get_getnetworkconf.cgi.
Mursch stated in a blog post that owners of many of the vulnerable Orange boxes used the same password to restrict access to both the configuration panel of the device and the wireless network. A large number of people were using the default credentials – admin/admin.
This information obtained is very important for an attacker who aims at compromising the device remotely or for impersonation attacks since the modem comes with VoIP support.
There are numerous vulnerabilities that affect the Orange LiveBox modems publicly available and some of them have exploit code demonstrating it.
Mursch claims that most of the vulnerable devices were located in the Orange Espana (AS12479) network, and the initial scan source was an IP address from a Telefonica Spain customer.
Even though it is not clear about the reason for these scans, it is interesting to find that the source is physically closer to the affected Livebox ADSL modems. This will let them connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.
This information leak flaw which has been dubbed as CVE-2018-20377 is known in the technical world. It has been described in a 2012 blog post by Rick Murray and in 2015 in an analysis of the device firmware.
Orange Espana, Orange-CERT and CERT Spain have been notified to deploy mitigation procedures.