Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Businesses Intel Hardware

Intel-Powered Broadband Modems Highly Vulnerable To DoS Attack (dslreports.com) 59

"It's being reported by users from the DSLReports forum that the Puma 6 Intel cable modem variants are highly susceptible to a very low-bandwidth denial-of-service attack," writes Slashdot reader Idisagree. The Register reports: Effectively, if there's someone you don't like, and they are one of thousands upon thousands of people using a Puma 6-powered home gateway, and you know their public IP address, you can kick them off the internet, we're told... According to one engineer...the flaw would be "trivial" to exploit in the wild, and would effectively render a targeted box useless for the duration of the attack... "It can be exploited remotely, and there is no way to mitigate the issue."

This is particularly frustrating for Puma 6 modem owners because the boxes are pitched as gigabit broadband gateways: the devices can be potentially choked and knocked out simply by receiving traffic that's a fraction of the bandwidth their owners are paying for... The Puma 6 chipset is used in a number of ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK.

The original submission also notes there's already a class action lawsuit over the performance of cable modems with Intel's Puma 6 chipset, and adds "It would appear the Atom chip was never going to live up to the task it was designed for."
This discussion has been archived. No new comments can be posted.

Intel-Powered Broadband Modems Highly Vulnerable To DoS Attack

Comments Filter:
  • Given that my Atom server has no problem saturating both gigabit network ports at the same time somehow I doubt the problem is the performance of the Atom chip referenced as being beefed up in the summary and more due to a crappy implementation of Puma 6 itself.

    • Re:Atom chip? (Score:4, Informative)

      by Anonymous Coward on Sunday April 30, 2017 @09:20AM (#54328539)

      It's not the Atom cores, it's the bolted on NAT accelerator with 2048 max entries + 30s timeout for UDP "connections" + firmware too stupid to fall back to software NAT when the hardware table is full.

      • Re:Atom chip? (Score:5, Interesting)

        by CODiNE ( 27417 ) on Sunday April 30, 2017 @09:52AM (#54328639) Homepage

        So you just spoof 2048 UDP packets every 30s and they can't send a single packet? That IS trivial.

      • by arglebargle_xiv ( 2212710 ) on Sunday April 30, 2017 @09:55AM (#54328653)
        Intel has acknowledged the bug, caused by missing entries in the lookup table used by the NAT circuitry, but claims that the typical user would only experience it once every 27,000 years so they have no plans to fix it. However, the upcoming Puma 6.9999999975 chipset will contain a fix.
      • Why does a cable modem need a NAT accelerator? It shouldn't be doing NAT to begin with, right? That's the router's job...

      • Yeah exactly what I was saying. But the last line in the summary makes it seem like the newer Atoms aren't up to the task. That's just plain incorrect.

    • Comment removed based on user account deletion
      • Yeah my point exactly. The Atom itself as a CPU is just fine, and that link back to a previous post talking about newer versions of Atoms is completely unrelated to whatever it is they botched in this implementation.

  • I take it this stupid article refers to NAT routers, and not cable modems at all.

    Anyone with the slightest bit of savvy runs a straight cable modem connected to a completely separate router. And, having suffered with various commodity routers such as Netgear, they all suck donkey balls. Do what I did. Break down and get a real Sonicwall TZ-170 (used/surplus of course).

    • by Hachima ( 718971 )
      Actually this is a pure cable modem issue. http://www.dslreports.com/tool... [dslreports.com] is a test that can be used to see if your modem is affected. https://www.dslreports.com/tes... [dslreports.com] lists some of the affected modems. The ARRIS SB6190 is one of the more popular modems on the list that is affected.
    • Comment removed based on user account deletion
  • Whew. (Score:4, Funny)

    by sims 2 ( 994794 ) on Sunday April 30, 2017 @10:10AM (#54328729)

    Got scared there for a second then I remembered we can't get gigabit here.

    • Re: (Score:3, Informative)

      by djc6 ( 86604 )

      Puma 6 chipset has been used in modems/gateways since 2012. Here is a partial list of potentially impacted products:

      Arris SB6190
      Arris TG1672G
      Arris TM1602
      Super Hub 3 (Arris TG2492LG) (commonly - virgin media)
      Hitron CGN3 / CDA / CGNV series modems:
      Hitron CDA-32372
      Hitron CDE-32372
      Hitron CDA3-35
      Hitron CGNV4
      Hitron CGNM-3552 (commonly - Rogers)
      Hitron CGN3 (eg CGN3-ACSMR) 2013 link
      Hitron CGNM-2250 (commonly - Shaw)
      Linksys CM3024
      Linksys CM3016
      TP-Link CR7000
      Netgear AC1750 C6300 AC1900
      Netgear CM700
      Telstra Gateway

  • by ameline ( 771895 ) <ian.amelineNO@SPAMgmail.com> on Sunday April 30, 2017 @11:03AM (#54328987) Homepage Journal

    There is apparently a packet spray pattern that causes the CableModem (CM) portion of the Puma 6 to reboot. (likely segfault) The CM on a puma 6 is run by an ARM Cpu (not the x86 atom), the problem is with broken hardware optimization -- specifically the overflow handling on a fairly small table (2032 entry) likely built of CAM (content addressable memory) intended to accelerate external/internal mappings. That table has entries inserted when any packet arrives with a new address. Spew enough packets from enough different addresses and the table overflows -- that overflow requires (slow) processing to handle.

    Disabling the accelerator caps bandwidth to ~60Mbps, and the DoS attack is mitigated.

    But the fact that there is a pattern of (external) packets that *crashes* the CM indicates a potential vulnerability in the CM firmware that would allow a complete takeover of the CM OS.

    That would be a global disaster.

    One proposed mitigation is to use software mapping for packets from external sources and only add mappings to that small table for packets from the LAN side (not the WAN). This would probably have minimal impact for most -- capping speeds to 60Mbps on connections until a packet originating from the LAN side of things has gone through the device.

    But a hostile (and clever enough) hacker may still be able to trick the device into crashing and exposing it to takeover if they can run software on both sides of the device (LAN and WAN) attacking it from both simultaneously.

    The Puma 6 is a bit of a debacle -- it may very well have to be recalled.

    • So the Puma is the dog, and even if you are just using the modem in bridge mode, the chipset is still the DOCIS modem... which might not be impacted directly by this vulnerability, but give it time?
      • by ameline ( 771895 )

        NO This has *Nothing* to do with the gateway capabilities and everything to do with the Cable Modem part of Puma 6. I have been able to hang my Hitron CDA-3 modem (no router/gateway or WiFi in it) by spraying it. Haven't found the magic reboot pattern, but its early yet.

news: gotcha

Working...