A critical vulnerability in Cox Communications’ back-end infrastructure was recently discovered by security researcher Sam Curry, exposing nearly 700 API endpoints and potentially millions of business customers’ devices to attacks.
Description
The vulnerability allowed threat actors to bypass authorization and gain access to business customers’ modems, obtaining personal identification information (PII) [3], Wi-Fi passwords [2] [3], connected device information [2] [3], and executing arbitrary commands [1] [2] [3]. The flaw, attributed to an error in the Spring code used for proxying API requests [2], enabled attackers to replay HTTP requests and execute unauthorized commands on the devices, including resetting settings and stealing personal information. By exploiting the vulnerabilities, threat actors could access business account information [5], MAC addresses [3] [5], and take over customer accounts [2], essentially having the permissions of an ISP support team [2]. Curry identified the issue and disclosed it in a blog post on June 3, 2023 [3], after accidentally discovering the authentication bypass in Cox’s backend APIs while attempting to exploit a blind XML external entity injection (XXE) vulnerability [3]. He reported the vulnerability through Cox’s responsible disclosure program on March 4, 2023 [3], and it was patched the next day [3]. Despite no evidence of exploitation in the wild [4], the potential for unauthorized access to sensitive data remains a concern [4].
Conclusion
To mitigate the risk [1], it is recommended to upgrade modem security by replacing outdated modems with newer models and ensuring they have the latest security patches [1]. Additionally, investing in personal routers and placing them behind firewalls can enhance security [1].
References
[1] https://jamesazar.substack.com/p/frontier-cyberattack-cox-modems-vulnerability
[2] https://www.darkreading.com/application-security/cox-biz-auth-bypass-bug-millions-devices-takeover
[3] https://innovatopia.jp/cyber-security/cyber-security-news/29090/
[4] https://securityaffairs.com/164103/security/cox-modems-flaws.html
[5] https://www.scmagazine.com/brief/millions-of-cox-modems-potentially-at-risk-of-compromise
