Vulnerable Cisco Devices

Discussion created by chrstphr on Feb 22, 2018
Latest reply on Feb 23, 2018 by kevinds

Hello all,


To anyone using a DCP3848V modem provided by Shaw, you are likely vulnerable. An Nmap port scan conducted on these devices reveals that port 7547 is open, listening and publicly available. According to reps that I spoke with today, they indicated that they DO NOT use port 7547 internally for any reasons. This is not correct, and it was referenced back in April of 2017 at this site: Misfortune cookie security vulnerability  a Shaw representative in that link disclosed that what I was told in chat is incorrect as I thought initially.


I now know without a shadow of a doubt, that my modem is exploited, and that the exploit runs so deep that the firmware file that is reloaded after a pin-hole reset is either modified in transit or the recovery file itself is modified. I performed 2 pin-hole resets where I held down the reset for over 15 seconds to make certain that a factory reset was undertaken by the device. Upon factory reset's completion, I navigate to the modem login, and the splash page seen here: Imgur: The magic of the Internet  Note the technicolor logo displayed at the top instead of the expected Cisco page.


Shaw states that it is possible to block communications to this port, but with firmware that is already exploited, effectively patching this issue is not possible. The reason why, is because the port forwarding rules that we as customer-admins have access to are operating on the 'cusadmin' level of privilege and we need to modify the port rules on the embedded OS of the device to prevent the external access to Port 7547. Further, because the firmware is exploited already, and they refuse to A) update this firmware to their provided firmware via Port 7547, (B) refuse access to Ports 22 and 23 for FTP flashing firmware, and (C) providing the firmware file for manually flashing, I personally am unable to resolve the problem created by my ISP.


I am told that bridged-mode is a solution to this, I call BS, as Bridged-Mode is still forcing internet traffic to be pushed through a device that is COMPROMISED. This is ONE case, with an ISP that has hundreds of thousands of customers. I don't care so much about the risk this is creating to me, but more the bigger picture. In chat tonight, I was told "We are WELL aware of the risks associated" with this and "If we find the risks to outweigh the benefits then it will change"

This vulnerability is exposing our safety, and not on an interpersonally connected level, but globally, it is contributing to a weaker internet for everybody. Not only does this vulnerability when correctly (or incorrectly for that matter) leveraged, this vulnerability could allow an attacker to harvest every single teeny tiny little detail of information we ever enter into our computers.


If someone has a potential solution, or any relevant information I would love to be made aware of it. I refuse to operate in bridged-mode, I refuse to sit here idly while hundreds of thousands of my peers are vulnerable to something that could have a very direct impact on day-to-day lives.

If anyone wants any further information than what I've provided or if any links break, let me know, I'm more than happy to provide updated links and whatever information could prove to be helpful to resolve this. Maybe someone has accessed this device via SSH/Telnet already and has a copy of "unmodified" firmware available that they could share?