Affected products

This affects both business and home customers.

• Product Name: Verve Connect VH510.
• Hardware Version: L0AM095A.
• Firmware Version: < V1.0.1.6L0516 (newer version may also be affected).

All of these devices have a default SSID of “Relish_Home_XXXXXX”.

Risk

Small Business Entities: HIGH

Home Users: HIGH

Summary

The Verve Connect 4G hub provided by Relish (now known as Three Broadband) contains multiple vulnerabilities, which when combined may allow an attacker to take over the device.

A default administrator password (CVE-2020-27689) was found in three devices that we tested.

There are multiple CSRF vulnerabilities (CVE-2020-27692) which exist in the web management interface, including the login page and a feature for device management. With the default admin credentials, attackers can force users that are on the same network to login into the web management interface and potentially gain remote access or control the network device.

A buffer overflow vulnerability (CVE-2020-27690) was found. The file /boaform/admin/formDOMAINBLK does not properly filter or check the size of a ‘blkDomain’ parameter when sending a POST request. This causes the Boa server to crash and may also lead to remote command execution. This POST request is also vulnerable to the CSRF which allows this attack to be launched remotely, requiring a user that’s on the same network to click a link.

The are also multiple XSS vulnerabilities (CVE-2020-27691) which have low impact. The affect components are URLBlocking Settings, SNMP Settings, and System Log Settings, which allow attackers to inject JS and HTML tags.

Remediation

The Verve Connect hub may no longer be maintained or supported, yet there are many companies and home users that still use this device. It’s important that you follow the instructions below to help keep safe and prevent attackers compromising your network.

1. Change the default super admin password within the management portal.
   • For business customers the username is: UKBadmin
   • For home customers the username is: admin
   • Admin passwords can be found by logging into the management portal using the standard credentials provided by Relish and navigate to Admin > Backup/Restore.
2. Disable or block access to the web management portal. This can be achieved by using a separate network appliance such as a switch or a hardware based firewall solution.
3. Disable direct wireless connectivity to the device and set up a separate hardware access point if needed.

Relish 4G VH510 Hub Full Disclosure.

Disclosure timeline

• 30/05/2019 — 6point6 contacted Three customer support for a security contact.
• 26/06/2019 — Received a response from Three Broadband with an appropriate Point of Contact.
• 29/06/2019 — 6point6 sent email with full disclosure report (no confirmation whether this was received).
• 02/08/2019 — 6point6 sent email to request confirmation of receipt of the document, no response received.
• 18/09/2019 — 6point6 sent email asking for any updates, no response received.
• 18/09/2019 — 6point6 sent email asking for any updates, no response received.
• 14/10/2019 — 6point6 sent email sent to Three’s Information Security email address.
• 15/10/2019 — Received a response from Three stating this will be escalated internally.
• 28/10/2019 — Received a response from Three confirming the vulnerability disclosure and that they’re still awaiting a response from the product vendor.
• 22/11/2019 — 6point6 sent an email asking for updates. No response received.
• 25/11/2019 — Received a response from Three stating there are no updates but there should be something available shortly.
• 13/01/2020 — 6point6 sent email to Three asking for any updates. No response received.
• 05/02/2020 — 6point6 sent email to Three asking for any updates. No response received.
• 26/02/2020 — 6point6 sent email to Three asking for any updates and that we are ready to publish an article on our findings, as well as a security advisory. No response received.

Get in touch if you’d like to chat to us.