Cyber Alert: Vulnerabilities Discovered in Verizon Fios Routers Affecting Millions

On April 9, researchers discovered three serious vulnerabilities in the Verizon Fios Quantum™ Gateway (G1100) router. This is the default device issued by Verizon for subscribers to its Fios internet service. The device enables internet and Wi-Fi access for millions of users.

The security flaws range in severity from high to medium. In one flaw (CVE-2019-3914 - Authenticated Remote Command Injection) attackers can gain access to the device and gain control of firewall settings via injecting commands. In a second flaw (CVE-2019-3915 - Login Replay), attackers can intercept login information using a packet sniffer, gain administrative access to the device and control settings. In a third flaw (CVE-2019-3916 - Password Salt Disclosure) attackers can exploit the device’s non-enforcement of HTTPS security protocols, capture a login request, decode passwords, and gain access to devices on the network.

The reported vulnerabilities are largely accessible to those with local access to the device but can also be exploited when remote administration is enabled.

The vulnerabilities have been reported to Verizon. Verizon has since issued a patch to correct these issues. The patch is being “auto-updated,” i.e., user intervention is typically not needed to install the fix. However, a small portion of devices have not received the update to this point.

The updated (patched) version of the Fios Quantum Gateway’s operating system is 02.02.00.13. Users are encouraged to verify that the patched version is in use (refer to the Verizon Fios Quantum Gateway User Guide for instructions). Users without this version are encouraged to contact Verizon for additional information and instructions.

ACA Aponix Guidance

ACA Aponix recommends taking the following actions regarding the Verizon Fios Quantum Gateway vulnerabilities:

• Disable remote administration of firewall and router devices if not required.
• Assess company networking equipment for use of the Verizon Fios Quantum Gateway router; if in use, verify that it has been updated.
• Notify staff of the vulnerability, and the need to check their home network devices if applicable.
• Review acceptable use policies and other company documentation related to use of company equipment in home settings, with particular emphasis on the need for implementation of security procedures in home office environments.

How ACA Can Help

ACA Aponix offers the following solutions that can help your company ensure strong security in light of the Verizon Gateway vulnerability:

• Cybersecurity and technology risk assessments
• Penetration testing and vulnerability assessments
• Policies, procedures and governance
• Cyber incident response planning
• Threat intelligence

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.