Sophos UTM and the ARRIS/Motorola Cable Modem Exploit

If you haven’t heard about it by now, there is a recent exploit that allows a maliciously designed website to trigger a reset of certain ARRIS (formerly Motorola) Cable Modems.

This doesn’t affect all of them, but only a certain model. However, if you’re paranoid at all, there is no harm in blocking access to the cable modem.

There are two ways to do this: drop all traffic to the cable modem (which doesn’t affect internet traffic), or to filter out the specific URL used to do this.

And we cover both methods

If you haven’t heard about it by now, there is a recent exploit that allows a maliciously designed website to trigger a reset of certain ARRIS (formerly Motorola) Cable Modems.

The common way to do this is with an img tag, as it pings the site which triggers the reboot process which can take up to 30 minutes to complete.

This doesn’t affect all of them, but only a certain model. However, if you’re paranoid at all, there is no harm in blocking access to the cable modem.

There are two ways to do this: drop all traffic to the cable modem (which doesn’t affect internet traffic), or to filter out the specific URL used to do this.

Block All Traffic to the Cable Modem

If you want to block all communication to the cable modem, that is rather simple.  This means that you cannot access or manage it, at all. But this doesn’t affect communication between your devices and the internet.  The reason for this is some “networking magic” done here.

Log into the Sophos UTM web interface. Open up the “Interfaces & Routing” section, and click on “Static Routing”.  Click on the “+ New Static Route…” button.  Select “Blackhole route” for the Route type. For the Network entry, click on the “+” icon, and create a new “Host” with the IPv4 address of “192.168.100.1”. Click “Save” on the network definition and click “Save” for the route.

Blacked Hole

After saving it, you’ll need to enable the rule. Next to the “edit” button is a toggle switch. Toggle that so it turns green, and you’re good to go. You should no longer be able to access the modem from you network.

Block Reset Requests using the Web Filter

This is a more “graceful” solution, as it only blocks the reset request, as opposed to the entire cable modem. This may be important in rare cases. Though, for more people, you should probably block all access, as this may not be the only exploit that pops up.  But if you want access to the cable modem without the risk of it being reset, you can use the web filter to accomplish this.

To do so, open up the the Sophos UTM web interface. Open up the ‘Web Protection” section and click on “Web Filtering” and then open the “Policies” tab.  You should have the base policy here, but you may have other policies, as well. If this is the case,you will want to do this to the base policy, as it should affect all of the filters you’re using.

Filter Actions

Click on the “Filter action” entry for your policy (in this case, the “Default content filter action” at the bottom, in the “Base Policy” option). This will bring up the “Edit Filter Action” window. Click on the “Websites” tab.  From there, click on the “+” on the “Block These Websites” section.

Set the Name to “Cable Modem Reboot”, and set the “Match URLs based on:” Option to “Regular Expression”. Click on the “+” next to “Domains:” and input “https?://192\.168\.100\.1/reset\.html?” into the text box.  Click “Save”, and then “Save” again.

The “https?://192\.168\.100\.1/reset\.html?” string means that it looks for HTTP or HTTPS and looks for reset.html and reset.htm, so it covers all of your bases.

And you should be able to access your cable modems web interface, but should not be able to reset it. In fact, you should see a Sophos UTM error page.

Author: Drashna Jael're

Drashna Jael're

1 thought on “Sophos UTM and the ARRIS/Motorola Cable Modem Exploit”

  1. Google Chrome 49.0.2623.105 Google Chrome 49.0.2623.105 on Android 6.0.1 Android 6.0.1
    Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6 Build/MHC19J) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.105 Mobile Safari/537.36

    Well written.

Leave a Reply