Potential Impact: Privilege escalation
Severity: Medium
Scope of Impact: Motorola specific
CVE Identifier: CVE-2021-3458, CVE-2021-3459
Summary Description:
The following privilege escalation vulnerabilities were reported in the Motorola MM1000 MoCA adapter.
CVE-2021-3458: The MM1000 device configuration portal can be accessed without authentication, which could allow adapter settings to be modified.
CVE-2021-3459: A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter.
Mitigation Strategy for Customers (what you should do to protect yourself):
Until updated firmware is available, the following steps can be followed as an interim workaround.
Note: these steps will disable Web GUI access and secure your MM1000
  1. Enable MoCA security
  2. Prior to disconnecting your computer from the MM1000, type the following command in your web browser to disable web GUI access: http://192.168.0.2/cmd.sh?http-disable
  3. Confirm that Web GUI access is disabled by attempting to navigate to http://192.168.0.2/
  4. Perform the steps above for all MM1000 MoCA adapters on your network
  5. If you need to re-gain web GUI access, you can reset the MM1000 to factory defaults by pressing and holding the reset button for 3 seconds and repeating the steps to secure your MM1000 once you’re done using the Web GUI
Acknowledgement:
Motorola thanks Anthony V. DeRosa for reporting these issues.
Revision History:
Revision Date Description
1 2021-04-13 Initial Release