CVE-2018-20380

Vulnerability

The Ambit DDW2600 (firmware 5.100.1009), DDW2602 (5.105.1003), T60C926 (4.64.1012), and U10C019 (5.66.1026) cable modem devices expose plaintext credentials through publicly-readable SNMP OIDs. Specifically, queries to iso.3.6.1.4.1.4491.2.4.1.1.6.1.1.0 and iso.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 return authentication secrets without any read community restriction [1].

Exploitation

An unauthenticated remote attacker can issue SNMP GET requests (default community string public is typically unchanged) to the two listed OIDs. No special network position, authentication, or user interaction is required. The attacker simply sends the SNMP request to the device's IP address and receives the cleartext credentials in the response [1].

Impact

Successful exploitation yields cleartext credentials (likely for device administration or ISP authentication), enabling the attacker to fully compromise the modem's configuration, intercept or redirect traffic, or pivot to the internal network. The disclosure directly impacts confidentiality and can lead to unauthorized administrative access and privilege escalation.

Mitigation

As of the publication date (2018-12-23), no firmware update or vendor advisory was publicly available for these legacy devices. The only mitigation is to restrict SNMP access at the network perimeter (block UDP port 161 from untrusted sources) or disable the SNMP service entirely if not required. These devices may be end-of-life and no longer receive patches [1].