Highlighted
Browser

VPNFilter - Arris TG1672

Has anyone had any issues with their Arris TG1672 and the recently announced VPNFilter vulnerability?

 

https://blog.talosintelligence.com/2018/05/VPNFilter.html

7 REPLIES
Proven Sharer

Re: VPNFilter - Arris TG1672

So far no users have reported anything involving this vulnerability on these user forums.   Note that the research report indicates they found only four specific port numbers are affected; they are ports 23, 80, 2000 and 8080. 

Newcomer

Re: VPNFilter - Arris TG1672

The FBI recommends that we upgrade the router to the latest version of firmware.

 And reboot. How do we update the firmware?

Contributor

Re: VPNFilter - Arris TG1672

That would be available from the Arris website.

 

Assuming that there is an update available, which according to this link there isn't.

 

Cheers.

Helper

Re: VPNFilter - Arris TG1672

The TG1672 is a gateway combo device meaning any and all firmware updates will come from Spectrum once they receive it from Arris, thoroughly test it on their network, and deem it necessary to deploy.

Browser

Re: VPNFilter - Arris TG1672

One of the remediation steps is to disable the remote connection / support feature on your modem. I'm guessing this is how Spectrum would deploy the firmware to us?

 

Spectrum Employee

Re: VPNFilter - Arris TG1672

Luckily the routers spectrum customers are provided were not affected that they know of. No reports of any being compromised. Which is great. however if youd like to power cycle preventatively, just unplug both modem and router, wait, plug in modem. Let it boot, then plug in router. The firmware updates are auto updated but the router firmware you can force update logging into your router from your home wifi connected computer using the website provided on your router and accompanied login credentials.
Im not updating because many times an unnecessary update can cause more issues than good especially since the spectrum devices weren’t affected.
Spectrum will be auto powercycling devices during certain hours one night anyways. I don’t see anything anywhere about disabling that setting... can you elaborate?
Also, the arris modems aren’t the devices in jeopardy, the routers are compromised..
unless you have a router modem combo device there’s nothing in the modem to update.
Hope that helps.
Proven Sharer

Re: VPNFilter - Arris TG1672

Hard to protect

[Wednesday’s] report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.

Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of "some" router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.)

There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which, by definition, device manufacturers have yet to fix.

What this means is that, out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indicators of compromise and firewall rules that can detect exploits.