Approximately 20,000 Orange Modems have been found to be vulnerable to a new vulnerability (CVE-2018-20377). This vulnerability was found by honeypots that researchers had deployed in the wild. The honeypots found a plethora of scans that were targeting Orange Modems, primarily in Spain and France. A flaw in the Orange Livebox ADSL modems allows a remote unauthenticated user access to the SSID and Wi-Fi password for that device. Many of the devices that were found to be leaking the Wi-Fi password were also using the same password to administer the device, or did not set up their own custom password when they set up their Wi-Fi and are still using the default password. This allows an attacker to gain entry into the box and make malicious changes to the settings or firmware of the device. The initial scan that was found was from an IP address that was associated with a Spanish internet company. Typically, it is not seen that the attacker is physically this close to their targeted devices, and if the attacker was close enough to a vulnerable box, they could connect to the Wi-Fi network SSID.
Analyst Notes
Orange-Cert has been notified by the researchers that identified the flaw and stated that they are looking into the issue. The IP address that were found to be vulnerable were not released by the researchers due to the sensitive nature of the information but stated is available for law enforcement or CERT teams. Orange should be releasing a fix to this issue and if a user is using a vulnerable box, they should be on the lookout for when the patch comes out.
