CVE-2018-9248 – CVE-2018-9248 is an authentication bypass vulne... (How to Fix)

Q: What is the severity of CVE-2018-9248?

CVE-2018-9248 has a CVSS score of 9.8 (CRITICAL). CVE-2018-9248 is an authentication bypass vulnerability in FiberHome VDSL2 Modem HG 150-UB devices. Attackers can gain administrative access by sending a specific cookie header, allowing complete control of affected modems. This affects all users of vulnerable FiberHome modem devices.

📋 TL;DR

CVE-2018-9248 is an authentication bypass vulnerability in FiberHome VDSL2 Modem HG 150-UB devices. Attackers can gain administrative access by sending a specific cookie header, allowing complete control of affected modems. This affects all users of vulnerable FiberHome modem devices.

💻 Affected Systems

Products:

FiberHome VDSL2 Modem HG 150-UB

Versions: All versions prior to patching

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface of the modem. No special configuration required.

📦 What is this software?

Vdsl2 Modem Hg 150 Ub Firmware by Fiberhome

View all CVEs affecting Vdsl2 Modem Hg 150 Ub Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the modem allowing attackers to reconfigure network settings, intercept traffic, install malware, or use the device as part of a botnet.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, DNS hijacking, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if modem is behind additional firewalls and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Modems are typically internet-facing devices directly exposed to attackers.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access to the modem's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with specific cookie header bypasses authentication. Public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown specific version - check with vendor

Vendor Advisory: No public vendor advisory found

Restart Required: Yes

Instructions:

1. Contact FiberHome for firmware updates. 2. Download latest firmware from vendor. 3. Access modem admin panel. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot modem.

🔧 Temporary Workarounds

Disable Remote Management

all

Disable remote access to modem management interface

Access modem settings → Security → Remote Management → Disable

Change Default Admin Credentials

all

Change default admin password to strong unique password

Access modem settings → Administration → Change Password

🧯 If You Can't Patch

Replace vulnerable modem with different model/brand
Place modem behind dedicated firewall with strict access controls

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to modem admin interface with 'Cookie: Name=0admin' header and check if admin access is granted without credentials.

Check Version:

Check firmware version in modem web interface under System Status or About sections.

Verify Fix Applied:

Attempt same exploit after patching - should receive authentication error or redirect to login page.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'Cookie: Name=0admin' header in modem logs
Admin login from unexpected IP addresses

Network Indicators:

HTTP requests to modem admin interface with specific cookie header
Unusual configuration changes

SIEM Query:

http.cookie contains "Name=0admin" AND dst_ip = [modem_ip]

📊 Metadata

CVE ID: CVE-2018-9248

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: April 4, 2018

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/pak0s/cd7ac9c2ee659138816f92693d2df602 Third Party Advisory
https://www.exploit-db.com/exploits/44413/ Third Party Advisory,VDB Entry
https://gist.github.com/pak0s/cd7ac9c2ee659138816f92693d2df602 Third Party Advisory
https://www.exploit-db.com/exploits/44413/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-9248, you might also want to check these: