Three security vulnerabilities in Verizon Fios Quantum Gateway routers allowed a potential attacker to take full control of the devices, researchers have found.

Fios Quantum Gateway (G1100) enabled an adversary to run commands on the system with the highest privileges, allowed login replay attacks and disclosed the data used for salting the password hash.

Researchers at Tenable discovered the vulnerabilities (CVE-2019-3914, CVE-2019-3915, and CVE-2019-3916) earlier this year and delayed publishing them until Verizon developed and delivered patches to its clients. At the beginning of March, users were receiving firmware updates for G1100.

Command injection with root privileges

Tenable's research found that it was possible for an authenticated user to inject commands in the operating system. They tested this using "tcpdump" packet analyzer.

"I fired up “tcpdump” and injected the command “ping -c 1 192.168.1.191” to hopefully ping my machine once. Tcpdump displayed a successful ping."

Although there is client-side validation for user input, it can be overcome with a web proxy server, such as Burp, that can capture and modify the traffic received by the router.

This method covers command execution on the Verizon device but it does not offer the output. Using 'cURL' data transfer tool and an HTTP server, the researcher was able to get the output for his commands, and thus learn that he had root privilege level for running the commands.

After doing some reconnaissance to find the operating system and hardware architecture, the researcher discovered an embedded Java virtual machine (JVM), which meant that he could upload and run a Java reverse shell.

Full exploit chains three bugs

The command injection vulnerability requires authentication, but according to this research from Tenable Verizon Fios Quantum Gateway router also had a flaw that allowed replaying the login message to the device for unauthorized authentication.

Complete exploit code is currently available and it works either with a plaintext password or its hash added as a command line parameter. Choosing any of the methods results in successfully logging into the router's web interface.

Tenable also released today a video demonstrating the exploit code in action.

To address the three security issues, Verizon released a firmware update (02.02.00.13) to all affected devices. Some users complained in early March that the update caused problems and devices on the local network could no longer connect to the primary WiFi network.

One user said that his problems were solved after he followed Verizon's instructions to do a factory reset.

How to check the firmware version your Verizon Fios Quantum G1100 router is using

1. Open a browser and navigate to your router's IP address. For most installations, this will be 192.168.1.1

2. When prompted, enter the admin password, which can be found on the side of the router.

3. When logged in, click on the System Monitoring section.

4. You should now see the router's firmware listed as indicated by the blue arrow in the image below.

5. If your router's firmware is version 02.02.00.13 or later, then your router is no longer affected by these vulnerabilities.

Update [04.09.2019]: Verizon contacted BleepingComputer with a statement informing that, to their knowledge, the vulnerabilities discovered and reported by Tenable were not exploited against their customers:

"Security at Verizon is a top priority. We were recently made aware of three vulnerabilities related to login and password information on the Broadband Home Router Fios-G1100. As soon as we were made aware of these vulnerabilities, we took immediate action to remediate them and are issuing patches. We have no evidence of abuse and there is no action required of our consumers."