Has anyone had any issues with their Arris TG1672 and the recently announced VPNFilter vulnerability?
Solved! Go to Solution.
So far no users have reported anything involving this vulnerability on these user forums. Note that the research report indicates they found only four specific port numbers are affected; they are ports 23, 80, 2000 and 8080.
The TG1672 is a gateway combo device meaning any and all firmware updates will come from Spectrum once they receive it from Arris, thoroughly test it on their network, and deem it necessary to deploy.
One of the remediation steps is to disable the remote connection / support feature on your modem. I'm guessing this is how Spectrum would deploy the firmware to us?
Previously I indicated that forum responders had no detailed information about the VPNFilter malware. Since then both Cisco and Symantec have released additional details that were excluded from the general FBI statement. The articles now appearing on computer-user web sites include a list of known targetted router models. I didn't spot any cable internet combination modem+router gateways on this list.
The information below was copied from an article on the ARS Technica website written by Dan Goodin - 5/23/2018, 4:13 PM
Hard to protect
[Wednesday’s] report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:
Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.
Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of "some" router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.)
There's no easy way to determine if a router has been infected. It's not yet clear if running the latest firmware and changing default passwords prevents infections in all cases. Cisco and Symantec said the attackers are exploiting known vulnerabilities, but given the general quality of IoT firmware, it may be possible the attackers are also exploiting zeroday flaws, which, by definition, device manufacturers have yet to fix.
What this means is that, out of an abundance of caution, users of the devices listed above should do a factory reset as soon as possible, or at a minimum, they should reboot. People should then check with the manufacturer for advice. For more advanced users, the Cisco report provides detailed indicators of compromise and firewall rules that can detect exploits.