A security vulnerability has been reported that affects some models of the popular SURFboard modem line by ARRIS (formerly Motorola).
Attackers can exploit a flaw in SB6120, SB6120 and SB6141 model modems running firmware version SB_KOMODO-1.0.6.14 to reboot/reset these modems remotely without authentication, due to the presence of a cross-site request forgery vulnerability.
See this article and DLSR forum post for more details:
ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw
http://www.securityforrealpeople.com/2016/04/arris-motorola-surfboard-modem.html
Some SB61XX modems may be vulnerable to a CSRF attack
https://www.dslreports.com/forum/r30690513-Some-SB61XX-modems-may-be-vulnerable-to-a-CSRF-attack
Solved! Go to Solution.
I'm checking to see how this vulnerability will be addressed and what the timeline looks like. Thanks for posting!
Update 4/12/16: Updated firmware fixing this vulnerability should be available soon. We appreciate everyone's patience while we test the update to ensure it's reliable and safe to push out to the affected modem models.
Update 4/15/16: Comcast has temporarily blocked access to the user interface that the firmware vulnerability relies on. We are in contact with ARRIS and working with them to provide a permanent fix. During this time, customers who want to check their signal levels can use Speed Experience. Service issues can be addressed on this Forum, by posting in the appropriate section.
I really hope the new firmware does not make it impossible to run an automated script to do reboots.
Due to the CMTS's nasty habit of assigning channels with terrible uncorrectable packet loss, I wrote a cron job that fetches the CM's status & signals page once per minute, then checks SNR and calculates uncorrectable packet loss percentage. If SNR < 29 or packet loss > 2%, it reboots the CM. And eventually I get a set of clean channels. Life has been much more pleasant since I set that up.
@shimagnolo wrote:
I really hope the new firmware does not make it impossible to run an automated script to do reboots.
Well, this is what it says in the release notes for the new "1.0.6.16-SCM00" version firmware:
From: https://www.dslreports.com/forum/r30692718-
FYI - Comcast has instituted a temporary block of the Admin GUI pages located at 192.168.100.1 on the SB612X and SB6141 modems:
From: https://www.dslreports.com/forum/r30702757-
... we have temporarily blocked access to the user interface that the firmware vulnerability relies on.
We are in contact with ARRIS and working with them to provide a permanent fix. During this time, customers who need to check their signal levels can use https://speedexperience.xfinity.com/ , or you can reach out to https://www.dslreports.com/forum/comcastdirect for assistance, if needed.
However, users have found that this temporary block can be removed by power cycling the modem.
EDIT: There are now reports http://www.dslreports.com/forum/r30704359- that this temporary block gets renewed/pushed out every night in the early hours of the morning.
EDIT2: It now appears that this temporary block gets renewed/pushed out a few times a day now: http://www.dslreports.com/forum/r30705010-
Hi John, I tried the "Speed Experience" but it does not provide any signal level information.
And for some of us, it does not test the correct modem, I have a tm602 for phone and a SB6183 for internet, it tests the old 602 and report it as EOLed, and stops there. How do I get it to look and examine the correct modem?
@blackjoe wrote:
Hi John, I tried the "Speed Experience" but it does not provide any signal level information.
Speed Experience will check your signal levels and report back to you if there's a problem during the test (i.e. levels are out of spec). It won't report your actual levels, however a Care agent can review your signal levels if you believe this to be causing an issue with your service.
@gwtx wrote:
And for some of us, it does not test the correct modem, I have a tm602 for phone and a SB6183 for internet, it tests the old 602 and report it as EOLed, and stops there. How do I get it to look and examine the correct modem?
Currently, the Speed Experience tool is in beta. I will report your individual experience with it to the team that manages the tool.
I would really be interested in that script you have, I have the same problem in my area with ridiculous amounts of packet loss/uncorrectable errors.
Off-topic, splitting into it's own post.
FYI - Comcast is currently running a limited soak test of the SB_KOMODO-1.0.6.16-SCM00-NOSH firmware for the SB6120, SB6121 and SB6141 models with a select group of customers:
From: »Re: [Security] Some Moto/ARRIS SB61XX modems may be vulnerable to a CSRF attack
With regard to the SB firmware update, we are in the process of soak testing firmware for the SB6120, SB6121, and SB6141 models. We're so close to a final release!
The new firmware for the SB6183 should be released for its soak test soon:
From: »Re: [Security] Some Moto/ARRIS SB61XX modems may be vulnerable to a CSRF attack
Update: We plan to push updated firmware for the SB6120, SB6121, and SB6141 modems on Thursday.
Details are still being determined for the testing and release of updated firmware for the SB6183 and SB6190.
I would like to echo shimagnolo's concern. I really hope this "fix" does not disable my ability to perform automated reboots of my cable modem. I use this feature.
Hi John,
Do you know if there are any plans to make the Speed Experience tool available to Comcast Business customers?
And thank you for keeping us in the loop about the fix!
I just got the new firmware:
- It does indeed bork the scripted reset ability. The reset.htm page is still there,
and it will tell you it will reboot in 10 seconds, but actually does nothing.
- The hidden cmConfigDataW.htm page is still there for those who were wondering.
So it looks like I need to put my networked power switch inline with the CM to restore automated reboots.
@shimagnolo wrote:
I just got the new firmware:
Yes, Comcast officially went GA today with the new SB_KOMODO-1.0.6.16-SCM00-NOSH firmware:
From: »Re: [Security] Some Moto/ARRIS SB61XX modems may be vulnerable to a CSRF attack
The firmware update for the SB6120, SB6121, and SB6141 has been released to the public today. Also, the soak has started for the SB6183.
Received the the new SB_KOMODO-1.0.6.16-SCM00-NOSH firmware.
hasn't fixed the issue, 3 hours later still getting no access to....
192.168.100.1 didn’t send any data.
@___SHADOW___ wrote:
Received the the new SB_KOMODO-1.0.6.16-SCM00-NOSH firmware.
hasn't fixed the issue, 3 hours later still getting no access to....
The 192.168.100.1 page isn’t working
192.168.100.1 didn’t send any data.
ERR_EMPTY_RESPONSEis this because comcast is still pushing the lock out file???Thanks
Yes, they are still borking the web interface, even though they have pushed out the update.
They crippled mine at the usual 1215 time again.
Please tell me they aren't going to consider removing the remote reboot a "fix" to the problem. That's just giving a giant middle finger to everyone who uses the feature. At the very least they should allow people the option to choose the "vulnerability" *eye roll* or not.
Good question!
I can definitely ask our engineering folks if that's in the works.
If you have a SB6120, SB6121 or SB6141, the GUI lockout has been removed for these models. You might need to power cycle your modem one more time to remove it, if it wasn't removed at the time the updated firmware was pushed.
Update 4/28/16: Customers with ARRIS models SB6120, SB6121, and SB6141 should have received updated fimware to patch the CSRF vulnerability and remove the temporary web GUI block from their modem. The updated version of this firmware is SB_KOMODO-1.0.6.16-SCM00-NOSH
. If you are still experiencing the effect of the temporary web GUI block, please power cycle your modem to remove it.
Customers using the ARRIS SB6183 modem should note that a firmware update is currently being tested and will be released soon after testing is complete.
The "Reboot cable modem" button is still missing, is this on purpose?
This wouldn't even be an issue if the 61xx series modems weren't the only modems on the market with the web GUI reboot feature, otherwise I would just buy another modem and be done with this.
The "Reset to Defaults" Button is also missing???
Is this going to be reimplemented it the foreseeable future???
Separate context from the original post, splitting into it's own.
The ability to perform a soft reset or a factory reset was restricted in the new firmware. Resetting the modem can still be done one of two ways:
1. Disconnecting the power cable for ~ 5-10 seconds and reconnnecting.
2. Using the My Account app to reset your modem remotely.
3. Logging into xfinity.com/myaccount and completing the Internet Troubleshooting Assistant.
@ComcastJohnF wrote:
The ability to perform a soft reset or a factory reset was restricted in the new firmware. Resetting the modem can still be done one of two ways:
1. Disconnecting the power cable for ~ 5-10 seconds and reconnnecting.
2. Using the My Account app to reset your modem remotely.
3. Logging into xfinity.com/myaccount and completing the Internet Troubleshooting Assistant.
How does this make any sense.The ability to reset or go back to factory using my SB6183 is gone. How do you go back to factory??? Who thought this was a good Idea.
I believe there should be a pinhole reset you can perform if you need to reset the modem to factory, but I'm not clear under what circumstances a user would need to factory reset their modem?
@ComcastJohnF wrote:
I believe there should be a pinhole reset you can perform if you need to reset the modem to factory, but I'm not clear under what circumstances a user would need to factory reset their modem?
No pinhole I can see. Why a factory reset. Because you never know.
No pinhole on the SB6183 but you can do this:
Have a PC connected via Ethernet. Unplug the RF cable from the cable modem. Power reset the cable modem. Once the “Power” LED comes on solid, and the “Downstream (DS)” LED begins blinking, open a Browser and go to “192.168.100.1”. Once there, go to the “Configuration” page and press the “reset Factory Defaults” button. Reconnect the RF cable. Power reset the modem.
@ComcastJohnF wrote:
I believe there should be a pinhole reset you can perform if you need to reset the modem to factory, but I'm not clear under what circumstances a user would need to factory reset their modem?
... and if by chance, I wanted to sell my SB6141 modem (that I paid for!), I guess that without a factory reset ability, I am restricted to selling it to only Comcast customers????? This seems to amount to theft.
I have the 6183 and I'm looking at the Configuration page right now and as of this morning the
reset Factory Defaults” button.
is gone as is the reset button
@plummerl wrote:
... and if by chance, I wanted to sell my SB6141 modem (that I paid for!), I guess that without a factory reset ability, I am restricted to selling it to only Comcast customers????? This seems to amount to theft.
The config gets set via the bootfile, so the MSO can set whatever settings they want.. Keep in mind this is a cable modem and only a layer 2 device not much the user can set anyways..
Just wondering how to clear the log files. I used to reset the defaults and reboot the modem once a week so they wouldn't pile up. Well since thats no longer an option. How can I clear out those log files ??
Hint: read post #32.
The buttons appear on that page when not connected to the CMTS.
@ArrisTuska wrote:
No pinhole on the SB6183 but you can do this:
Have a PC connected via Ethernet. Unplug the RF cable from the cable modem. Power reset the cable modem. Once the “Power” LED comes on solid, and the “Downstream (DS)” LED begins blinking, open a Browser and go to “192.168.100.1”. Once there, go to the “Configuration” page and press the “reset Factory Defaults” button. Reconnect the RF cable. Power reset the modem.
I'll try it that way. thanks
@Thunder1013 wrote:
Just wondering how to clear the log files. I used to reset the defaults and reboot the modem once a week so they wouldn't pile up. Well since thats no longer an option. How can I clear out those log files ??
When they overflow (which is pretty limited) they overwrite themselves anyway.
@ArrisTuska wrote:
No pinhole on the SB6183 but you can do this:
Have a PC connected via Ethernet. Unplug the RF cable from the cable modem. Power reset the cable modem. Once the “Power” LED comes on solid, and the “Downstream (DS)” LED begins blinking, open a Browser and go to “192.168.100.1”. Once there, go to the “Configuration” page and press the “reset Factory Defaults” button. Reconnect the RF cable. Power reset the modem.
It did work for me. Thanks again. I guess the question is why get rid of those reset buttons.
3. Logging into xfinity.com/myaccount and completing
Tried a reset twice and waited 10 minutes, is it supposed to reboot my 6183?
And why factory reset? Isn't it supposed to relearn the connections when factory reset is issued?
I'd rather have the old firmware, as a factory reset takes less than 5 minutes, and this only triggers if I visit a web page that has this?
And as for the reboot without RF connection, has anyone else noticed you cannot access the modem's webpage if it has no outside connection?
Or is this because I use a router in front of the modem?
@gwtx wrote:
3. Logging into xfinity.com/myaccount and completing
Tried a reset twice and waited 10 minutes, is it supposed to reboot my 6183?
And why factory reset? Isn't it supposed to relearn the connections when factory reset is issued?
I'd rather have the old firmware, as a factory reset takes less than 5 minutes, and this only triggers if I visit a web page that has this?
And as for the reboot without RF connection, has anyone else noticed you cannot access the modem's webpage if it has no outside connection?
Or is this because I use a router in front of the modem?
I had to do it twice but the webpage did come up. I was still connected to my router.
@gwtx wrote:
3. Logging into xfinity.com/myaccount and completing
Tried a reset twice and waited 10 minutes, is it supposed to reboot my 6183?
And why factory reset? Isn't it supposed to relearn the connections when factory reset is issued?
I'd rather have the old firmware, as a factory reset takes less than 5 minutes, and this only triggers if I visit a web page that has this?
And as for the reboot without RF connection, has anyone else noticed you cannot access the modem's webpage if it has no outside connection?
Or is this because I use a router in front of the modem?
I had issues with sometimes being unable to reach the web page.
They were solved by putting a static ARP entry in the router for the CM.
@gwtx wrote:
Or is this because I use a router in front of the modem?
yep I would guess your router had a problem with it..
@ArrisTuska wrote:
@gwtx wrote:
Or is this because I use a router in front of the modem?
yep I would guess your router had a problem with it..
Let see. XP & win7, 3 modems 6121, 6141, 6183, with linksys, netgear, and OpenWRT routers( 2 major revisions ), yep sounds like a router issue
Possilble its a routing issue, I havent traced the routing under these conditions
@ComcastJohnF wrote:
Update 4/28/16:
Customers using the ARRIS SB6183 modem should note that a firmware update is currently being tested and will be released soon after testing is complete.
FYI - From: https://www.dslreports.com/forum/r30740613-
said by jfox (aka "ComcastJohnF"):
The firmware update for the SB6183 is scheduled for GA tomorrow, 5/5. |
I powered cycled my SB6141 cable modem a couple of days ago. I saw that new firmware was downloaded. Right afterwards, I was able to access the diagnostic page in my web browser.
But I just tried it again and I am back to the "Cannot Open Page" error message. I thought this block was suppose to be removed after the new firmware was installed?
Update 5/5/16: Customers with ARRIS model SB6183 should have received updated fimware to patch the CSRF vulnerability and remove the temporary web GUI block from their modem. The updated version of this firmware is D30CM-OSPREY-1.5.2.3-GA-01-NOSH-NNDMN
. If you are still experiencing the effect of the temporary web GUI block, please power cycle your modem to remove it.
I'm another user who needs to be able to programatically reset my modem. Fixing a bug by eliminating features is amateur hour. Put a login/password on it for pete sake. Now I have to go find another modem. Thanks comcast!