The two issues described in this document affect the proper operation
of cable modem systems. One issue results from historical behavior of cable
modems not manufactured by Cisco. The other issue results from a defect in
Cisco IOS Software running on a cable modem termination system (CMTS) that
allows a cable modem to operate with an invalid configuration.
When a cable modem in a customer premises environment (CPE)
initializes, it obtains a configuration file from the service provider's
network using the Trivial File Transfer Protocol (TFTP) via a coaxial cable
connection to the service provider's network. Historically, cable modems from
other, non-Cisco manufacturers allow the configuration information to be
downloaded via the device's Ethernet interface. By running a TFTP server on a
customer premises computer and setting that computer's IP address equal to the
service provider's TFTP server, a different configuration file can be
downloaded to such a cable modem from the customer premises network.
The industry-standard Data Over Cable Service Interface Specification
(DOCSIS) for cable modem configuration information includes a Message Integrity
Check (MIC) based on a Message Digest 5 (MD5) hash of the contents of the
configuration. MD5 is a one-way (non-invertible) hash—meaning that the input
cannot be recovered from the output—and the output is considered unique for a
specific input. If the MIC is not correct, the cable modem registration process
fails and it will not be allowed to come on line. Publicly available tools
exist to create a DOCSIS-compliant configuration, including a valid MIC. The
cable shared-secret command in Cisco IOS Software
configures a password that is included in the MD5 hash that produces the MIC;
without the password, it is computationally infeasible to produce the correct
matching MIC, and the cable modem is prevented from registering with the
service provider's network.
If the shared secret is configured identically on all of the systems
within a service provider's network and TFTP spoofing is possible as shown
above, then other valid configurations containing different parameters for the
same service provider network can be interchanged and downloaded to a cable
modem. The modem will be allowed to come on line because the shared secret is
the same. In addition, while the MD5 hash is non-invertible, the shared secret
to compute it can be recovered from the CMTS router configuration. It can be
protected by using the "service password-encryption"
command in Cisco IOS Software, but the command uses "mode 7" encryption, which
is considered adequate only for basic protection from casual viewing.
A defect in Cisco IOS Software for the uBR7200 and uBR7100 series
Universal Broadband Routers causes the MD5 test to be skipped if an MIC is not
provided in the DOCSIS configuration file. A DOCSIS configuration can be
modified with a hex editor to truncate the file just before the MIC and adjust
other fields to produce an invalid configuration file that will be accepted by
the cable modem and the CMTS. When the cable modem attempts to register, a
vulnerable CMTS fails to challenge the missing MIC and allows the cable modem
to come on line. Using this vulnerability, the range of possible configurations
is no longer restricted to a small alternative set for the same service
provider; a completely custom configuration can be generated in which all of
the options can be specified. This defect is documented as CSCdx72740, and
details are available to registered users of the Cisco website.
The Cisco IOS Software configuration command cable
tftp-enforce prohibits a cable modem from registering and coming
on line if there is no matching TFTP traffic through the CMTS preceding the
registration attempt. This feature has been introduced via CSCdx57688 and can
be viewed by registered users of the Cisco website. This new command is
available on the uBR10012 router as well as the uBR7200 and uBR7100 series.
Both the cable tftp-enforce command feature
and the fix for the MD5 authentication bypass are necessary to properly
mitigate these vulnerabilities, and Cisco is making fixed software available as
Some non-Cisco cable modems may be running older versions of software
that save a local copy of the configuration information and use that cached
copy at registration time instead of obtaining the actual file from a TFTP
server. In addition to the possibility that the cable modem is not using the
proper configuration information, the cable modem's user may be mistakenly
accused of attempting theft of service.