A root authentication bypass vulnerability exists in the Arris NVG443B router, commonly supplied to customers of Frontier ISP. This vulnerability allows an attacker with physical access to gain root-level privileges to the device's operating system, potentially compromising the security of the network.
Affected Device: Arris NVG443B Router
Affected Firmware: Version 9.3.0h3d36
Discoverer: Gavin Kelsey (aliases: HotPocket/nullptr)
The vulnerability exists due to a flaw in the router's login shell (/bin/cshell), specifically in the function located at RVA 0x165C0. When exploited, this vulnerability allows an attacker to bypass the authentication mechanism and gain root-level access to the device.
During security testing via UART connection, it was discovered that sending the command ^e terminates the sdb task. When this task is terminated, the login shell erroneously grants root access without requiring authentication credentials.
^e to terminate the sdb taskThis exploitation sequence effectively bypasses all authentication mechanisms, granting complete control over the router's operating system.
The vulnerability has been assigned a CVSS score of 6.8 (MEDIUM) based on the following factors:
The vendor, Arris, has been notified of this issue and has released a patch to address the vulnerability.
This vulnerability was discovered and reported by Gavin Kelsey during security testing.
Responsible disclosure procedures were followed, allowing the vendor time to develop and release a patch before public disclosure.