Forum Discussion

djc6's avatar
djc6
New Contributor
9 years ago

Netgear CM600 cable modem security vulnerability

The Netgear CM600 has a security vulnerability described here:

http://kb.netgear.com/30114/NETGEAR-Product-Vulnerability-Advisory-CSRF-LocalFile-XSS?cid=wmt_netgear_organic

Cox once updated my firmware automatically overnight to V1.01.06 (from V1.01.05 that it shipped with) but it seems its V1.01.08+ that contain the fix after talking to Netgear L2 support.  The latest version for this modem is V1.01.12

Who at Cox can review this firmware update and approve it being rolled out to Netgear CM600 owners?

  • ChrisL's avatar
    ChrisL
    Former Moderator
    9 years ago
    @djc6

    According to the release notes this update does not apply to cable modems, only routers. I did verify that the current version on your modem is the latest approved version.

  • djc6's avatar
    djc6
    New Contributor
    9 years ago

    If you load the Netgear article, in the top right are a series of links - "This article applies to:" and if you expand Cable Modems, you'll see it applied to the CM600 Cable Modem.

    When I contacted Netgear, they said Cox has to push firmware to my modem.  The latest Cox approved version V1.01.06 does NOT contain fix for this vulnerability.

  • ChrisL's avatar
    ChrisL
    Former Moderator
    9 years ago
    @djc6

    Until such point any updates are tested and approved you can change the default password on the modem to mitigate any potential for compromise.

  • djc6's avatar
    djc6
    New Contributor
    9 years ago

    So, I changed the default password back in January to work around this vulnerability.

    However,  I found reports online of the exploit using a hardcoded login/password backdoor that you cannot change.  Sure enough, I tried this hardcoded login/password and it works - in addition to the admin password I changed.

    So how do we get Cox to push out the latest firmware for CM600 modem?

  • StephanieA's avatar
    StephanieA
    Former Moderator
    9 years ago
    I'm showing your modem has the latest firmware available at this time. Once the newer version is available, it will be pushed out automatically during our overnight maintenance window.

  • djc6's avatar
    djc6
    New Contributor
    9 years ago

    There is a newer firmware available; V1.01.12 is latest listed on netgear's website and this issue was fixed in V1.01.08

    My modem shipped with V1.01.05 and Cox updated it to V1.01.06 first night after I set it up.

  • ncmx5's avatar
    ncmx5
    New Contributor
    9 years ago

    I'm anxious for this fix as well.  NetGear indicates that  V1.01.12 is available for Cox subscribers using the CM600.

    https://kb.netgear.com/000036375/What-s-the-latest-firmware-version-of-my-NETGEAR-cable-modem-or-modem-router

  • JonathanJ's avatar
    JonathanJ
    Former Moderator
    9 years ago
    @ncmx5

    Please email you full address and primary name on account to cox.help@cox.com, so we can take a look.

  • ncmx5's avatar
    ncmx5
    New Contributor
    9 years ago

    I e-mailed the address indicated by JonathanJ.  Folks on that end indicated that the .12 firmware had not been fully verified for full network-wide distribution, but they were willing to push it out to my CM600 earlier.  They upgraded it a few hours ago.

    No issues noticed thus far.  Quite pleased with how responsive they were.