ARS Technica warns around 200 million cable modems have a security vulnerability that can be remotely exploited. Called Cable Haunt, the flaw can result in the infection of your cable model simply by visiting a maliciously crafted webpage.
Various modems are affected, including the Sagemcom F@st 3890, Sagemcom F@st 3686,
Technicolor TC7230, Netgear C6250EMR, and Netgear CG3700EMR. The Compal 7284E and Compal 7486E, as well as other model with a spectrum analyzer server may also be vulnerable.
Once infected, attackers can snoop on unencrypted data, mess with your DNS settings, install new firmware on the modem, enroll you into a botnet, etc.
The proof-of-concept exploit uses other clever tricks to work. Because of the memory structure of the MIPS assembly language that runs the spectrum analyzer, the attack code must know the precise memory address of the vulnerable code. (Normally, a buffer overflow exploit would be written directly to the memory stack.) To bypass the restriction posed by this memory structure, Cable Haunt uses return oriented programming to move between pre-existing pieces of code and then create a patchwork of existing code.
Once attackers exploit the vulnerability, they send commands to the modem's telnet server to install a reverse shell. From there, attackers can do all kinds of things, including changing the DNS settings, installing completely new firmware, making the modem participate in a botnet, and monitoring unencrypted data that passes through the modem.
Unfortunately, it's not easy to check if your device is vulnerable to Cable Haunt. Additionally, it's hard to detect an infection as there are various ways to mask this. At the moment, there's no patch.