Router Security Router Bugs Flaws Hacks and Vulnerabilities Website by     
Michael Horowitz 
Home Site Index Bugs News Security Checklist Tests DNS Resources Stats Search Popular Pages
NOTE: I gave a presentation on Defensive Computing at the HOPE conference (July 2022) that was based on my Defensive Computing Checklist website.
 

If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on.

This page documents the existence of bugs in routers. Starting April 2018, I also track routers in the news which details the exploitation of router flaws.

You may be thinking that all software is buggy, but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose, to allow spying, or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible.

BIG BUGS: A number of flaws stand out. The port 32764 issue from January 2014 and April 2014 for example. A router backdoor was exposed, then instead of being removed, was just better hidden. Another flaw not to be missed is the Misfortune Cookie from December 2014. Then, of course, there is WPS, the electronic equivalent of a "hack me" sign on your back. Other huge flaws involved UPnP being exposed to the Internet and file sharing on a USB port.

THE US GOVERNMENT: In January 2017, the FTC accused D-Link of leaving its routers and webcam devices vulnerable to hackers. A lawsuit alleged that D-Link "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." D-Link was also accused of misleading the public about the security of their devices. D-Link denied they did anything bad. More on the Router News page.

This page has bugs from 2022, 2021, 2020 and 2019. Older bugs, from 2018 through 2012, are available at the bottom of this page. To see all the bugs on one B_I_G web page (makes it easy to find all the issues for any one manufacturer) click this button ==>

2022

SEPTEMBER 2022

Really, I mean it, don't buy Cisco routers

Cisco won’t fix authentication bypass zero-day in EoL routers
by Sergiu Gatlan of BleepingComputer   September 7, 2022
We have seen this exact same thing twice before. Three strikes and you're out. Quoting: "Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices..." Buggy routers are the RV110W, RV130, RV130W, and RV215W. Cisco says to buy a new router. I agree. Any brand but theirs.

AUGUST 2022

Another wide ranging flaw

Exploit out for critical Realtek flaw affecting many networking devices
by Ionut Ilascu of Bleeping Computer   August 16, 2022
This is a doozy affecting many devices including routers and access points. The bug is the Realtek SDK, specifically the SIP ALG function that rewrites SDP data, which has a stack-based buffer overflow. Bad guys can remotely execute code without authentication, or just crash a vulnerable device. There is no defense on a buggy device and no easy way to tell if a device is vulnerable. The flaw is identified as CVE-2022-27255. Either there is updated firmware or it will be vulnerable forever. Routers with no open ports can be hacked. Routers that do not expose Remote Management can be hacked. Realtek issued a bug fix in March 2022, so devices made afterwards should be safe. The bug was detailed at the DEFCON conference by cybersecurity company Faraday Security. It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the System on a Chip is in products from more than 60 vendors, including ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, Zyxel, Tenda, Hikvision, Rockspace, Nexxt, Keo and others. The bug will likely affect routers the most, but some IoT devices may also be affected. Buggy devices run the open-source eCOS operating system which, as these things go, is pretty low end. It has no virtual storage and no concept of privileges. Every thread can access every memory location.

At this point, you could not pay me to use a Cisco router

Critical flaws found in four Cisco SMB router ranges - for the second time this year
by Simon Sharwood of The Register   August 5, 2022
For the second time this year, Cisco small business routers have critical flaws. Three flaws this time. The buggy models are the RV160, RV260, RV340, and RV345 Series. All three bugs have the same underlying problem, the programmers that work for Cisco are lazy. Put another way, each flaw is due to insufficient input validation. Two of the bugs are critical and a remote bad guy who does not know any passwords can totally take over the routers. Patches are available but the safest approach is to switch router vendors.

DrayTek routers have a critical flaw

Critical RCE vulnerability impacts 29 models of DrayTek routers
by Bill Toulas of Bleeping Computer   August 4, 2022
This is the second critical security flaw in DrayTek routers that I am aware of. The bug is a Remote Code Execution flaw with a CVSS v3 severity score of 10 (out of 10). In other words, it is as bad as bad gets. Remote attackers can completely take over vulnerable routers. The flaw is a buffer overflow in the web-based management interface. The bug can be exploited both on the WAN/Internet side and on the LAN side. Bug fixes are available.

JULY 2022

Arris bugs show the company's true personality

Arris / Arris-variant DSL/Fiber router critical vulnerability exposure
by Derek Abdine   July 29, 2022
There are three different bugs in muhttpd software that runs the web administration portal. One of the bugs is critical, two are somewhat impractical to exploit. The buggy muhttpd software is used in both Arris router products and whitelabel/OEM products by other vendors. The bug has been confirmed in Arris router models NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Here is the bigger issue: "The complete list of affected products is unknown as Arris has declined to comment on the affected product list." Lesson learned, we don't want any products from Arris. The most severe vulnerability allows unauthenticated path traversal from the root of the file system as the root user. This exposes a whole host of sensitive information. The muhttpd software was patched in June 2022. Prior to that the last release of the software was in 2010. Arris is content to use software that had not been updated in 12 years. The path traversal bug appears to be present in the initial release of the muhttpd software in 2006. If the web portal is not available on the WAN side, the critical bug can not be exploited remotely. However, it can still be exploited on the LAN side. This is another reason for VLANs, as it lets us limited which devices can see the router on the LAN side. The Security Checklist page lists some other LAN side protections that block users/devices from getting at the router.

JUNE 2022

Throw away old Cisco small business routers

If you're using older, vulnerable Cisco small biz routers, throw them out
by Jessica Lyons Hardcastle of The Register   June 16, 2022
Cisco can not be shamed into fixing old buggy routers. A critical vulnerability exists in the web-based management interface of the Cisco RV110W, RV130, RV130W, and RV215W routers, These models went End of Life back in 2019. The bug is CVE-2022-20825 and it is due to insufficient user input validation of incoming HTTP packets. In other words, lazy programmers. In addition, there is a critical vulnerability in Cisco enterprise security appliances that could allow a remote bad guy to log in to the web management interface. This bug they will fix.

MAY 2022

Well, this is new

Two business-grade Netgear VPN routers have security vulnerabilities that can't be fixed
by Zeljka Zorz of Help Net Security   May 20, 2022
Quoting: "Netgear has admitted that multiple security vulnerabilities in its business-grade BR200 and BR500 VPN routers can't be fixed due to technical limitations outside of their control, and is offering users a free or discounted replacement router." Netgear does not offer details of the vulnerabilities, which were reported by Joel St. John of IncludeSecurity. To exploit the bug(s) the router administrator would have to be logged on to the router while they visited a malicious website. Advice about this has been on the home page of this website for years.

Paying lots of money does not get you security

Hackers are exploiting critical bug in Zyxel firewalls and VPNs
by Ionut Ilascu of BleepingComputer   May 15, 2022
Jake Baines of Rapid7 discovered a bug in assorted Zyxel devices. Fixes are available. The bug was serious enough that the NSA warned Zyxel customers to patch immediately. These devices are supposed to provide security. The bug is CVE-2022-30525 and the buggy devices are the USG FLEX series, the ATP series, and the USG20-VPN/USG20w-VPN. The bug lets bads guys inject arbitrary commands remotely without authentication. One thing bad guys can do with this is to set up a reverse shell. The bug was due to un-sanitized URI input (sound familiar?) being fed into the os.system method. Rapid7 reported that there are over 15,000 vulnerable devices online. Shadowserver found over 20,000 Zyxel firewall models on the Internet that are potentially affected by the bug.

APRIL 2022

Yet another buggy router

Security audit of the SKYWORTH GN542VF router – how to hack the admin panel password without leaving the web browser!
by Alexey Miloserdov   April 5, 2022
The router is somewhat unusual. Each one ships with a unique password. The password is displayed on the login web page, but only if you are on the LAN side, not when you login from the WAN side. When someone logs in with the correct password from the WAN side, the router shows an error message. Sounds good, at first. However, the password is always in the login page and it is only hidden using JavaScript that can be easily manipulated with developer tools built into the web browser. And, while it does display an error when someone logs in from the WAN side, it nonetheless logs the person in. The error message is a scam. I don't know what country or ISP uses this router.

MARCH 2022

You can't make this up - another Zyxel critical bug

Zyxel urges customers to patch critical firewall bypass vulnerability
by Charlie Osborne, of ZDNet   April 1, 2022
A critical vulnerability in Zyxel firewall software has just been fixed. Buggy devices include their USG, ZyWALL, USG FLEX, ATP, VPN and NSG. The company has fixed "products that are within their warranty and support period" and did not say anything about older devices that may also be vulnerable. The bug is due to "the lack of a proper access control mechanism". Words with no meaning. The bug lets a bad guy bypass authentication and obtain administrative access. In other words, it is as bad as bad gets. Bug is CVE-2022-0342.

FEBRUARY 2022

Many Zyxel routers are buggy as heck

Multiple Critical Vulnerabilities in multiple Zyxel devices
by G. Hechenberger, S. Robertz, S. Viehböck and T. Weber of SEC Consult   February 15, 2022
"Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration." All told, SEC Consult found eight different types of bugs. The bugs included: multiple unauthenticated buffer overflows, two unauthenticated Local File Disclosures (which lets bad guys read all files), Unsafe Storage of Sensitive Data and a couple command injection flaws. Not enough? They also found that Zyxel fails to use OS level protection mechanisms like PIE, stack canaries and relocation read only. SEC Consult offered no workarounds (really?). They also failed to say which, if any of the bugs can be exploited from the WAN side as those are obviously more dangerous than bugs that are exploitable from the LAN side only. There are fixes for some, not all devices. Many devices will not be fixed as they are too old to bother with (EoL). Some other devices will get their bug fixes in September 2022. The timeline shows that Zyxel took over a year before they issued fixes. I am told that Zyxel consumer routers are popular in Europe, especially in the UK. The UK popularity stems from their use of BroadCom chipsets that provide a very stable VDSL2 connection over old copper wire that is prone to line noise.

Yet again, critical security flaws in Cisco routers

Cisco inferno: Networking giant reveals three 10/10 rated critical router bugs
by Simon Sharwood of The Register   February 4, 2022
Cisco reminds me of the Wizard of Oz. Seemingly great and powerful on the outside, but inside a dumpster fire of disgracefully buggy software. The buggy hardware this time are the RV160, RV260, RV340 and RV345 products. Cisco revealed that there are 15 bugs, but a handful are brutal - as bad as bad gets. Some of the bugs are fixed, but not all.

JANUARY 2022

Here we go again, another bug in NetUSB affects many routers

Millions of Wi-Fi routers vulnerable to hacker attack — what you need to do
by Paul Wagenseil of Toms Guide   January 11, 2022
Consumer routers are buggy enough without also expecting them to share assorted devices plugged into their USB ports. Software that enables this sharing, NetUSB, was found to be buggy back in May 2015. NetUSB is used in many routers. Which ones? None of your business. Back in 2015, there were 26 router vendors thought to be using NetUSB. Sometimes NetUSB can be disabled via the router web interface, sometimes not. This bug is a buffer overflow and, fortunately, is hard to exploit. NetUSB opens port 20005 on the LAN side of the router. Perhaps most worrying is that some routers are double buggy and open port 20005 on the WAN/Internet side also. If so, the router can be sent commands directly, NetUSB does not do authentication. The creator of NetUSB, KCodes, was told of the buffer over-run on Sept. 9, 2021, and a patch was issued on Oct. 4th. Netgear routers, the D7800, R6400v2 and R6700v3 were patched on Dec. 20, 2021. Other vendors that license NetUSB, Edimax, D-Link, Tenda, TP-Link and Western Digital have done nothing. D-Link is looking into it. Great reason to avoid TP-Link.

2021

DECEMBER 2021

Bugs in the Netgear Nighthawk RAX43

Netgear Nighthawk RAX43 Multiple Vulnerabilities
by Evan Grant, Jimi Sebree of Tenable   December 30, 2021
The bugs are in firmware version 1.0.3.96 which was the latest as of December 28, 2021. This article is dated the 30th and Netgear claims to have released new firmware on the 29th. Just like the below group of bugs with the R6700, some of which were fixed in 90 days. What bugs did Netgear fix? None of your business. Not what you want in a router vendor. Like the R6700, this router also uses HTTP by default for its web interface, saves passwords in plain text, includes old buggy jQuery libraries, includes a vulnerable version of the minidlna service and has insufficient UART protection mechanisms. But, that's not all. Configuration backups are encrypted with a hard-coded password (RAX50w!a4udk). And two bugs can be combined. The first is a buffer overrun, the second, command injection. Together someone can perform remote tasks as root, without authentication. As with the Tenable report below, this one too, does not make it clear which, if any, bugs can be exploited from the WAN side and under what circumstances.

Bugs in the Nighthawk R6700 that Netgear handles poorly

Netgear leaves vulnerabilities unpatched in Nighthawk router
by Bill Toulas of Bleeping Computer   December 31, 2021
Cybersecurity company Tenable found six high-risk vulnerabilities in the latest firmware version (1.0.4.120) for the Netgear Nighthawk R6700v3 router. They notified Netgear of the bugs on Sept 30, 2021 and by Dec 30th had heard nothing back from Netgear about any possible fixes. So, they went public with the details. Not what you want from your router vendor. The bugs could let an attacker on the LAN side take complete control of the router. The danger from the WAN side is not clear. One easily understood issue is that insecure HTTP is used by default on communications to/from the device’s web interface. Also, passwords are stored in plain text. In addition to the six bugs, Tenable also found instances of a common problem with routers - the firmware includes old software with known bugs. Specifically, they found several instances of jQuery libraries relying on version 1.4.2 and they found an old buggy version of the MiniDLNA server software. Taking a step back, hardware versions 1 and 2 of this router are too old to fix (End of Life is the official buzzword) so Tenable only examined hardware version 3. Interesting wrinkle, Netgear released a new firmware for this router pretty much at the same time as Tenable went public with the bugs. What did Netgear fix? None of your business. Not what you want from your router vendor.

Consumer routers prove my point, yet again

Nine WiFi routers used by millions were vulnerable to 226 flaws
by Bill Toulas of Bleeping Computer   December 2, 2021
This is not the first time an examination of multiple routers has found a huge number of bugs. In this case, nine routers yielded 226 bugs. All were current models running the latest firmware. The routers were from Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys. The automated system used to find these bugs only looks for known flaws. The underlying issue is old software that is not upgraded when fixes are made. The TP-Link Archer AX6000 was the worst router, with 32 flaws. The Synology RT-2600ac, which I hated, had 30 bugs. The best router had 18 bugs. The research was done by IoT Inspector, in collaboration with German IT magazine CHIP. They also found a way to send malicious firmware to the D-Link DIR-X1560. Most of the reported bugs have been fixed. Not said, is whether the fixes were for the one tested model or for all similar models. No one ever dwells on that. Also, the fixes were not tested to insure they really fix the problems.

Netgear again

Thousands of Netgear Wi-Fi routers need to be patched now - here's how
by Paul Wagenseil of Toms Guide   December 3, 2021
I think Paul is re-using his headlines at this point :-) Not the biggest flaws in the world. What stands out to me is that the bugs were first disclosed to Netgear on May 3, 2021. Long time ago. Buggy devices include 35 different models of routers, Wi-Fi range extenders and combination modem-routers. The bugs were found by British security firm Immersive Labs.

NOVEMBER 2021

If there was ever a case to be made about not using an ISP router, this is it

Six million Sky routers had serious security flaw
by Jane Wakefield of the BBC   November 19, 2021
Quoting: "About six million Sky routers had a significant software bug that could have allowed hackers to take over home networks ... The problem has been fixed - but researchers say it took Sky 18 months to address.". Sky is one of the biggest ISPs in the U.K. The bug was in four Sky Hub models and 2 Booster models. The problem was with DNS rebinding and a malicious web page, anywhere on the Internet, could exploit the flaw. Most of these routers shipped with a default password which is never good. Better routers make you pick a new password at first boot. Anyone who changed the password was safe. It is not clear to me, after reading the report, if changing the internal IP address of the router offers protection from this attack. Final insult: Sky would not maintain communication with the company that found and reported the flaw, Pen Test Partners.

Still more Netgear bugs

Netgear patches severe pre-auth RCE in 61 router and modem models
by Catalin Cimpanu of The Record   November 17, 2021
A bug with UPnP lets devices connected to the router hack the router without knowing the password. A LAN side device can get Remote Code Execution as root on a buggy router. Perhaps most importantly, this is the fifth major set of remote code execution bugs that Netgear has needed to patch this year. Other remote takeover bugs were found in March (by NCC Group), June (by Microsoft), September (by Polish security researcher Gynvael Coldwind) and also in September (by GRIMM). One defense, not mentioned in the article, is to limit the LAN side devices that can communicate with the router. This is always a good idea. On some of the buggy routers, the bug an not be exploited. Why not? The fix for an earlier bug broke the UPnP SUBSCRIBE and UNSUBSCRIBE functions. Netgear fixed the latest bug in some of their routers but old ones (EoL or End of Life) were not fixed.

Routers are sitting ducks for hackers

PWN2OWN Austin 2021
by Dustin Childs of Zero Day Initiative   November 1, 2021
Three routers were targeted at a recent hacking contest and they all were successfully hacked.

The Cisco RV340 router was successfully attacked three times from the WAN/Internet side and six times from the LAN side. A software cesspool, it is. In the very definition of irony, the web page for the RV340 says "Connect Your Network Safely and Securely" Ha.

  1. An attacker used a logic error to compromise the WAN interface
  2. An attacker used an impressive stack-based buffer overflow to get code execution on the WAN interface
  3. An attacker used a unique command injection bug to takeover the Cisco RV340 from the WAN interface
  4. An attacker used a three-bug exploit chain to hack the LAN interface
  5. An attacker used a four-bug exploit chain, including some known bugs to hack the LAN side
  6. An attacker used four bugs to exploit the Cisco RV340 router via the LAN interface
  7. An attacker used three unique bugs, including an authorization bypass and a command injection, to get code execution on the LAN interface
  8. An attacker used a three-bug chain, including an authorization bypass and a command injection, to take over the LAN interface
  9. An attacker leveraged 4 bugs on the LAN interface, but some of the bugs had been seen earlier in the conference.
The TP-Link AC1750 router was successfully hacked three times.
  1. An attacker used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface
  2. Another attacker also used an OOB Read bug to take control of the router via the LAN interface
  3. An attacker exploited the LAN interface of the router using a known bug that has not yet been fixed
The Netgear Nighthawk R6700 v3 Smart WiFi Router (AC1750) was hacked seven times, once from the WAN side, six times from the LAN side. The home page for the R6700 brags about Speed, Wi-Fi range and Reliability. Nothing about security. So, better than Cisco.
  1. An attacker used an integer overflow to gain code execution on the LAN interface
  2. An attacker used an authorization bypass with a command injection bug to get code execution on the LAN side
  3. An attacker combined a heap overflow and a stack-based buffer overflow to gain code execution on the LAN interface
  4. An attacker used an uninitialized variable to get a root shell via the LAN interface
  5. An attacker used an improper certificate validation and a stack-based buffer overflow to compromise the router via the WAN interface
  6. A attacker two bugs to exploit the router, but the path traversal bug was only an N-day
  7. An attacker used a pair of bugs to execute code via the LAN interface

SEPTEMBER 2021

SonicWall has holes in its wall

SonicWall warns users to patch critical vulnerability as soon as possible
by Pieter Arntz of MalwareBytes   September 24, 2021
SonicWall specializes in securing networks but a critical bug makes them less secure. The bug is in the SMA 100 series of devices, specifically the SMA 100, 200, 210, 400, 410, and 500v. Details: "... the vulnerability is an improper access control ... [that] allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials." Patches are available. The patches also include fixes for two other less critical bugs, a local privilege escalation flaw, and a denial-of-service vulnerability.

Fixes available for buggy Netgear routers

Netgear fixes dangerous code execution bug in multiple routers
by Sergiu Gatlan of Bleeping Computer   September 21, 2021
Adam Nichols of GRIMM discovered a bug in the Circle parental control service on these Netgear routers: R6400, R6700, R6900, R7850, R7900, R8000 and RS400. If you have a Netgear router, beware of their marketing. Paul Wagenseil warns "Because Netgear markets its home routers using somewhat misleading terminology - for example, the R7000 is also labeled as the 'Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router' - you might want to flip your router over and check the sticker on the bottom for the real model name." If the Circle software is installed, the router is vulnerable. The bug is in the Circle update routine which runs as root. Wagenseil offers perspective on this: "The problem is in the Disney-designed Circle parental-control feature, which was rolled out to Netgear Nighthawk and Orbi mesh routers in 2017. The Orbis and newer Wi-Fi 6 Nighthawks got parental-control software built in-house by Netgear earlier this year, while the Circle service was discontinued for older Nighthawk models in late 2020." Updated firmware is available, but there are many steps to the manual update process. The bug is relatively hard to exploit as the bad guy must be must be able to intercept and modify the router's network traffic. Gatlan points out that earlier this month, Netgear fixed three severe security vulnerabilities impacting over a dozen of their smart switches, allowing bad guys to take over unpatched devices.

For two years, Virgin Media fails to fix a router bug

VPN users unmasked by zero-day vulnerability in Virgin Media routers
by Adam Bannister of Port Swigger   September 20, 2021
Fidus Information Security, a UK penetration testing consultancy discovered a flaw in the Virgin Media Super Hub 3 router and reported it in October 2019. In February 2020 Fidus was asked not to publicly reveal the flaw until the first quarter of 2021. They agreed. Suckers. Virgin Media, and parent company Liberty Global, both stopped responding to Fidus. As of the end of September 2021, the bug is still not fixed. The flaw is that the router will reveal the public IP address to anyone on the LAN side that knows how to ask for it. To exploit this, Fidus uses DNS rebinding along with a malicious DNS server for a malicious domain. Load a web page from that domain, and it can reveal the public IP address even when a VPN is being used. Not all VPNs, but many. Some do not allow access to LAN side devices, some do. A good VPN will offer a choice as there is no one right answer. The tested router is really the ARRIS TG2492 and Fidus believes the vulnerability probably works against all related models. Don't hold your breath for a comment from Arris.

One TP-Link router is buggy as heck. What about others?

"Amazon’s Choice" best-selling TP-Link router ships with vulnerable firmware
by Edvardas Mikalauskas of CyberNews.com   September 2, 2021
The bugs in this one router model are not important. What is important is that, no doubt, many other TP-Link routers share these bugs and only this one model will be fixed. TP-Link is hugely popular, the article reports they sell over 150 million devices annually. The article is about the TP-Link AC1200 Archer C50 (v6) router. On Amazon it is rated 4.5 stars (out of 5) with over 61,000 ratings. Just shows how security is not a concern. The article covers many bases. For one: "The router is shipped with outdated firmware that is vulnerable to dozens of known security flaws". Then too: "The default version of the router's web interface app suffers from multiple bad security practices and vulnerabilities, including clickjacking, charset mismatch, cookie slack, private IP disclosures, weak HTTPS encryption, and more." They list 13 different issues with the web interface which is surely shared by many TP-Link routers. There were other security problems too. As for known bugs in the shipping firmware, some of these are fixed in later versions of the firmware, however the router does not auto-update. The researchers said that TP-Link responded quickly and plans on force-feeding the router a firmware update. As for the rest of the many TP-Link routers, this was not discussed. Par for the course.

AUGUST 2021

How low can Cisco go? Pretty low.

Cisco says it will not release software update for critical 0-day in EOL VPN routers
by Jonathan Greig of ZDNet   August 27, 2021
Cisco to their customers: Yeah, it's a bug, but we are not going to bother fixing it because the routers are old. Go buy a new router.
Yet again, Cisco has been caught failing to validate input. Lazy, lazy, lazy. Again, again, again. This vulnerability is in the Universal Plug-and-Play (UPnP) service in their Small Business RV110W, RV130, RV130W, and RV215W routers. An unauthenticated attacker can execute arbitrary code or cause a vulnerable device to restart unexpectedly. The support page for the RV215W router says that the end of support date is November 30, 2024. Seems like they lied. And the links for EOL of the RV215W go here which says nothing at all about the RV215W. Cisco is really bad news.

More bugs that will never be fixed

Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs
by Thomas Claburn of The Register   August 16, 2021
There are vulnerabilities in three Realtek SDKs accompanying its Wi-Fi modules. This article says there are 4 bugs, the original report lists a dozen. The hardware is used in almost 200 products made by more than 65 vendors. Vendors selling the buggy hardware include: AsusTEK, Amped Wireless, Belkin, Buffalo, D-Link (many devices), Edimax, EnGenius, Huawei, Logitech, Netis, Technicolor, Tenda, TRENDnet, Zyxel and Netgear. The flaws require an attacker to be on the same network as the vulnerable device, or be able to reach it over the Internet. It is not clear if a VLAN offers any protection. Remote unauthenticated attackers (the worst kind) can fully compromise a device and execute code with the highest level of privilege. One buggy device, the Realtek RTL819xD module, creates wireless access points. One estimate is that almost a million vulnerable devices may use the buggy software, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls. Realtek will fix some of the bugs, others are in software that is too old to bother with. However, it is expected that most vulnerable devices will never be patched.

Fortinet falls down

Fortinet delays patching zero-day allowing remote server takeover
by Sergiu Gatlan of Bleeping Computer   August 17, 2021
This is interesting, to me, not because of the delay in patching that is the focus of the article. Instead, I take note the long list of security bugs in Fortinet software that is cited at the end of the article. It's pretty long. And, the fact that Fortinet clammed up and stopped responding to Rapid7 which found the latest bug. That is not acceptable.

Cisco bugs never cease. They are as inevitable as death and taxes

Cisco fixes critical, high severity pre-auth flaws in VPN routers
by Sergiu Gatlan of Bleeping Computer   August 4, 2021
The web-based interface of these Cisco routers are buggy: RV340, RV340W, RV345, RV345P (Dual WAN Gigabit VPN routers), RV160, RV160W, RV260, RV260P, and RV260W (VPN routers). Yet again, the underlying problem is improperly validated HTTP requests and insufficient user input validation. Yet again. If remote access is disabled, then buggy devices are safe on the WAN side. There is no protection at all on the LAN side (the web interface can not be disabled), so the existing patches should be installed ASAP. There are two bugs. Attackers without the password can trigger a denial of service condition or execute commands and arbitrary code.

Yet another widespread router flaw

Decade-long vulnerability in multiple routers could allow network compromise
by Jessica Haworth of Port Swigger   August 4, 2021
Evan Grant of Tenable discovered an authentication bypass vulnerability in many routers and modem/routers manufactured by Arcadyan. The bug exists in at least 20 router models from 17 different vendors including Asus, Verizon, Vodafone, British Telecom, O2 (Telefonica), Orange, Hughesnet, Deutsche Telekom, Telstra and Telus. Was your router made by Arcadyan? None of the articles mentioned how you can tell. I have recent photos of a Verizon FIOS G3100 router and it certainly does not say Arcadyan anywhere on the outside. The important lesson here for consumer routers is that the vendor selling you the device is not necessarily the one who manufactured it. Grant also found two separate flaws in some Buffalo routers. This was the first time Grant had looked at a router for bugs and he said the flaws were "fairly easy to discover" and "trivial to exploit" The widespread bug is a path traversal flaw and is assigned CVE-2021–20090. The bug has been around for at least 12 years and can be exploited by unauthenticated, remote attackers. What is not said is whether the flaw can be exploited on routers that have Remote Administration turned off. My guess is no and that this fact was left out to make the bug seem more important. That said, I recently used a Verizon FIOS G3100 router and the user interface for Remote Administration was so miserably confusing I could not tell if I was turning it on or off.
UPDATE: Aug 25, 2021. I am told by a Verizon FIOS customer that there is new firmware, version 3.1.0.12, for the G3100 Router. The router self-updates. According to Joshua Lowcock it only self-updates, but he documented a work-around to force an update. What changes are in this new release? None of your business, Verizon does not seem to keep a change log. However, the GUI for the Admin interface has changed dramatically, which can only be a good thing. Lowcock notes that the new firmware has a dedicated wireless network for IoT, offers control over each wifi antenna and has a new performance-mode tri-band setting. Nothing about a security bug fix. Way back when, Verizon kept using WEP a decade after it was known to be insecure, so I would not get my hopes up about bug fixes.

JULY 2021

Bugs in a D-Link router. Just one model? None of your business

D-Link issues hotfix for hard-coded password router vulnerabilities.
by Sergiu Gatlan of Bleeping Computer   July 16, 2021
If hard code password backdoors do not turn you off D-Link, nothing will. A guy at Cisco, Dave McDaniel, took a look at the DIR-3040 router and found it to be a security nightmare. Multiple vulnerabilities: command injection, information disclosure and the biggie - executing arbitrary code. I am not surprised. I am also not surprised that the original report from Cisco and the article about it from Bleeping Computer focus exclusively on the DIR-3040. So too does D-Link. This is disgraceful. What about other similar routers with similar firmware? Clearly, that is none of our business. What should someone with a DIR-2640 or DIR-1950 do? Router vendors share firmware across multiple models. It is all but guaranteed that similar models have the same bugs. Anyone using a D-Link router clearly does not care about security. Still, Cisco says the bugs were fixed on July 13th but D-Link says on June 9th. Beats me.

A bad Summer for SonicWall

Another Brick in the Wall: eCrime Groups Leverage SonicWall VPN Vulnerability
by Heather Smith and Hanno Heinrichs of Crowdstrike   June 8, 2021
There was a bug, SonicWall did not fix it completely and eventually bad guys exploited the heck out of it. Quoting Pieter Arntz: "In the continuous wave of ransomware attacks you may have noticed a trend where the software and devices that are designed to keep you safe, are being used to establish the opposite. This year we have seen Pulse Secure vulnerabilities exploited in the wild, CISA warnings about successful attacks targeting a number of years-old vulnerabilities, and the colossal Kaseya supply-chain attack, among others."

JUNE 2021

Multiple Zyxel devices vulnerable to WAN side attack

Sophisticated hackers are targeting these Zyxel firewalls and VPNs
by Liam Tung of ZDNet   June 25, 2021
Bad guys are hacking into these Zyxel devices: Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection firewalls, and VPN series devices. They are modifying the devices to gain entry into the network behind them. The official Zyxel response makes it sound as if the bad guys are abusing back door accounts built into the devices. If so, it would not be the first time. Earlier this year, researchers found a backdoor account in Zyxel firmware, which left 100,000 devices vulnerable.

Microsoft toots their own horn - finds bug in 10 year old Netgear consumer router

Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
by Jonathan Bar Or of Microsoft 365 Defender Research Team   June 30, 2021
The buggy router, the NETGEAR DGN-2200 v1 series is really a combination modem/router. And, it is old as heck, the User Guide is dated February 2011. Yet, here we are, in June 2021 and Microsoft announces that they found bugs in it. This is really a PR stunt for Microsoft defensive software. That said, their software was triggered by "... a device owned by a non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port." Great catch, but who is using a 10 year old DSL modem/router and the latest and greatest Microsoft software? The router is as buggy as buggy gets. Any remote person can get full control of it. The worst bug lets you access any page in the web admin if you include one of the get-out-of-jail-free character strings in the GET request. Another bug exploits the encryption of the configuration backup file to learn the userid/password to login legitimately. The bugs are described in enough details to make someone not trust Netgear. The bugs have been fixed, which is quite a trick. You have to assume this router was End-of-Life years ago.

MAY 2021

Wi-Fi bugs in most every Wi-Fi device

Frag Attack
by Mathy Vanhoef of NYU   May 10, 2021
Shame on everyone for these Frag Attack bugs. Some of the Wi-Fi bugs are in the official specs for how Wi-Fi is supposed to work. For that, shame on the Wi-Fi Alliance, a group that has previously shown itself not to be up to the job. The rest of the bugs fall on many assorted programmers for not programming to the specs. Not just the programmers working for one company, but for many companies. Why so much shame? It is very likely that every Wi-Fi device in the world has at least one of the 12 bugs. Quoting Vanhoef: "In experiments on more than 75 devices, all of them were vulnerable to one or more of the discovered attacks." Bug fixes are need from dozens, if not hundreds, of sources. We'll get some, over time, but these bugs are sure to last for decades. The design flaws are difficult to exploit according to Vanhoef: "... the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit." One defense is HTTPS. A VPN helps with some of the bugs, but not all. Quoting: "Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router's NAT/firewall to directly attack devices." Interestingly, Wi-Fi 6 (aka ax) is more vulnerable than Wi-Fi 5 (aka ac). Vanhoef has worked with the Wi-Fi Alliance for the last nine months to get these bugs fixed. To date, five companies have released patches. Vanhoef gets in a dig at the Wi-Fi Alliance when he says "...it's essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them." The Wi-Fi Alliance does this certification. We may be in good hands with Allstate, but that is not the case with the Wi-Fi Alliance. He also says the biggest risk is likely the ability to abuse these flaws to attack devices in someone's home network. He does not offer a defense, but I will - VLANs, or, at the least, Guest Wi-Fi networks. Or, a second router. The bug that scares me the most is the one that allows bad guys to bypass a router firewall and attack devices directly. He tested four consumer routers and found two were vulnerable, but he did not name names and did not say which of the 12 bugs they were vulnerable to. Check with your router vendor to see if they have anything to say about this. Likewise, fixes are needed for Access Points and operating systems.
How bad is this really? From the horse's mouth:
Does this mean every Wi-Fi device is trivial to attack?
"The design issues are, on their own, tedious to exploit in practice. Unfortunately, some of the implementation vulnerabilities are common and trivial to exploit. Additionally, by combining the design issues with certain implementation issues, the resulting attacks become more serious. This means the impact of our findings depends on the specific target. Your vendor can inform you what the precise impact is for specific devices. In other words, for some devices the impact is minor, while for others it's disastrous."

Still more bugs in Cisco RV34X routers

Advisory: Cisco RV34X Series – Privilege Escalation in vpnTimer
by T. Shiomitsu of the IoT Inspector Research Lab   May 5, 2021
"A few weeks ago, we published an advisory on the Cisco RV series routers, where we outlined the root cause for authentication bypass and remote command execution issues. This week, Cisco has released an advisory for another bug we reported around the same time: A privilege escalation issue, which could be used in combination with the other two issues to run arbitrary code with root privileges on affected RV34X devices. ". The bug is CVE-2021-1520 - Privilege Escalation in vpnTimer. A look at old firmware shows that the bug has been present since at least the first firmware update package of the RV34X series back in February 2017). Vulnerable routers are the RV340, RV340W, RV345 and the RV345P. A fix is available.

APRIL 2021

Bugs in Cisco RV34X series routers

Advisory: Cisco RV34X Series – Authentication Bypass and Remote Command Execution
by T. Shiomitsu of the IoT Inspector Research Lab   April 13, 2021
"In early 2021, we reported a few security issues to Cisco related to their RV34X series of routers, two of which have been recently patched. The issues in question were an authentication bypass and system command injection, both in the web management interface. These can be chained together to achieve unauthenticated command execution." Cisco took 4 months to release a fix (Jan 2, 2021 through April 7, 2021) and they admit that other devices are also affected. The bugs are CVE-2021-1472 - RV34X /upload Authorization Bypass Vulnerability and CVE-2021-1473 - RV34X OS Command injection in Cookie string.

Critical bug in Juniper Junos OS - fixes available

Critical Vulnerability Can Allow Attackers to Hijack or Disrupt Juniper Devices
by Eduard Kovacs of Security Week   April 16, 2021
A buffer size validation flaw may allow an unauthenticated remote attacker to send specially crafted packets to a vulnerable device, triggering a partial Denial of Service, or remote code execution. An attacker who successfully exploits the vulnerability can gain root access to the targeted system. The bug is in the overlayd daemon which runs as root by default and listens for UDP connections on port 4789. The underlying problem is improper buffer size validation, which can lead to a buffer overflow. The bug is CVE-2021-0254. Good news: Fixes are available and vulnerable devices are typically not exposed to the Internet. The bug was discovered by Nguyễn Hoàng Thạch with Singapore-based cybersecurity company STAR Labs.

MARCH 2021

Bug in D-Link DIR-3060 router

Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144)
by IoT Inspector Research Lab   March 11, 2021
The D-Link DIR-3060 is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to the router can run arbitrary system commands on the device as the system admin user, with root privileges. D-Link has released a patched firmware.

Bugs in Cisco RV132W and RV134W routers

CVE-2021-1287 Detail
by NIST   March 17, 2021
"A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly. The vulnerability exists because the web-based management interface does not properly validate user-supplied input.... A successful exploit could allow the attacker to execute arbitrary code as the root user .... " The attacker needs to be authenticated to the device before they can exploit the flaw. Fixes are available.

FEBRUARY 2021

Still more Cisco bugs

Cisco Warns of Critical Auth-Bypass Security Flaw
by Lindsey O'Donnell of Threatpost   February 25, 2021
"A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication. The vulnerability is one of three critical flaws fixed by Cisco on this week. It exists in Cisco’s ACI Multi-Site Orchestrator (ACI MSO) — this is Cisco’s management software for businesses ... The flaw stems from improper token validation on an API endpoint in Cisco’s ACI MSO. The vulnerability ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The glitch is considered critical because an attacker - without any authentication - could remotely could exploit it..." Cisco also fixed a bug in their NX-OS network operating system for Nexus-series Ethernet switches. This flaw, which has a CVSS score of 9.8 out of 10, lets an unauthenticated, remote attacker create, delete or overwrite arbitrary files with root privileges on Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches.

Paying more does not get you better software

Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
by Ax Sharma of Bleeping Computer   February 7, 2021
There are assorted bugs in the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products. The worst bug is in the FortiProxy SSL VPN, it can be triggered by a remote, unauthenticated attacker using a specially crafted POST request. A SQL Injection flaw (CVE-2020-29015) lets an attacker get the hash of the administrator account due to excessive DBMS user privileges. A Buffer Overflow flaw (CVE-2020-29016) allows for arbitrary code execution by a remote attacker without the password.

JANUARY 2021

SonicWall hacked using a bug in their own software

SonicWall firewall maker hacked using zero-day in its VPN device
by Lawrence Abrams of Bleeping Computer   January 23, 2021
"SonicWall is a well-known manufacturer of hardware firewall devices, VPN gateways, and network security solutions whose products are commonly used in SMB/SME and large enterprise organizations." They released an advisory warning that hackers used a bug in their Secure Mobile Access (SMA) VPN device and their NetExtender VPN client to attack their internal systems. Until the bug is fixed they suggest enabling two-faction authentication and blocking web traffic from countries that do not need to access their devices. Then:
SonicWall SMA 100 zero-day exploit actively used in the wild by Lawrence Abrams February 1, 2021
SonicWall is still investigating the vulnerability and has not provided many details. It likely affects their SMA 100 series of remote access appliances. Another suggested mitigation is restricting the IP addresses than can access the SonicWall management interface. Then:
SonicWall fixes actively exploited SMA 100 zero-day vulnerability By Lawrence Abrams February 3, 2021
They released a patch for the bug in the SMA 100 series of appliances running firmware version 10.x. Specifically: the SMA 200, SMA 210, SMA 400, SMA 410 and the virtual SMA 500v appliance. They have still not provided any details on the vulnerability. Tweets from the NCC Group indicate that it allows remote access to the management interface without authorization.

And ... still MORE Cisco bugs

Cisco reveals critical bug in small biz VPN routers when half the world is stuck working at home
by Simon Sharwood of The Register   February 5, 2021
This is as bad as bad gets. The worst bugs "can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface." Routers vulnerable to this are: RV160, RV160W, RV260, RV260P, and RV260W. Other bugs allow a remote bad guy, again without a password, to "conduct directory traversal attacks and overwrite certain files that should be restricted ...." Other Cisco routers, the RV016, RV042, RV042G, RV082, RV320, and RV325 have still other bugs. All the bugs seem to be due to lazy Cisco employees who can't be bothered to validate input. Four buggy routers, the RV016, RV042, RV042G, and RV082 are not getting updates because they are too old. If the bugs don't turn you away from Cisco, consider the tech support experience - they put most of the burden on you. These quotes are from the bug Advisories below.
You want the patches? "... customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner." You want to learn about available updates? Cisco won't tell you. "When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure..." Will the available update work on your hardware? You figure it out. "In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release." I don't even know what the last part of that quote means. The big point is that you pump your own gas when you are a Cisco customer. I would not use their hardware for a paper weight.

More Cisco bugs

High-Severity Cisco Flaw Found in CMX Software For Retailers
by Lindsey O'Donnell of ThreatPost   January 13, 2021
At this point, I would not trust or even want to touch any hardware or software from Cisco. Their software has too many bugs and this case shows their refusal to fix some bugs. Cisco addressed 67 high-severity bugs. That is far too many to have in software that is reasonably mature. Far too many. Sixty of the bugs exist in in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. Quoting: "Of note, Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life."

2020

DECEMBER 2020

Bugs bugs bugs bugs bugs bugs

Vulnerability Summary for the Week of December 28, 2020 Bulletin (SB21-004)
by the CISA branch of the US Government   January 4, 2021
A summary of new vulnerabilities that have been recorded in the past week. Again, just one week. Below is a summary of the CISA summary for assorted devices from networking companies. They may not all be routers and the severity of the bugs vary widely.
---------
Tenda AC1200 (Model AC6) the default settings for the router speed test contain links to download malware CVE-2020-28094
Tenda AC1200 (Model AC6) a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop. CVE-2020-28095
Tenda N300 F3 devices allow remote attackers to obtain sensitive information via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg CVE-2020-35391
Tenda AC1200 (Model AC6) userids: admin, support, user, and nobody have a password of 1234. CVE-2020-28093
---------
Belkin LINKSYS RE6500 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters CVE-2020-35713
Belkin LINKSYS RE6500 allow remote attackers to cause a persistent denial of service (segmentation fault) CVE-2020-35716
Belkin LINKSYS RE6500 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename CVE-2020-35715 and CVE-2020-35714
---------
TP-Link: a password-disclosure issue in the web interface of certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. CVE-2020-35575
---------
Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. CVE-2020-29299
------------
DrayTek Vigor2960 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi. CVE-2020-19664
-------------
Certain NETGEAR devices are affected by disclosure of sensitive information. CVE-2020-35802
Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. CVE-2020-35787
Certain NETGEAR devices are affected by command injection by an authenticated user. CVE-2020-35793
NETGEAR DGN2200v1 devices mishandle HTTPd authentication CVE-2020-35785
NETGEAR GS716Tv3 and GS724Tv4 are affected by CSRF. CVE-2020-35778
NETGEAR JGS516PE , JGS524PE, JGS524Ev2 and GS116Ev2 are affected by lack of access control at the function level. CVE-2020-35784
NETGEAR JGS516PE, JGS524Ev2, JGS524PE and GS116Ev2 are affected by incorrect configuration of security settings. CVE-2020-35801
NETGEAR NMS300 devices are affected by command injection by an authenticated user. CVE-2020-35789
NETGEAR NMS300 devices are affected by denial of service. CVE-2020-35780 and CVE-2020-35781
NETGEAR R7500v2, R8900, R9000 and R7800 are affected by command injection by an authenticated user. CVE-2020-35792 and CVE-2020-35791
NETGEAR RBS40V, RBK752, RBR750, RBS750, RBK852, RBR850 and RBS850 are affected by command injection by an authenticated user. CVE-2020-35794
NETGEAR WAC104 devices are affected by a buffer overflow by an authenticated user. CVE-2020-35788
NETGEAR D6200, D7000, JNR1010v2, JR6150, JWNR2010v5, R6020, R6050, R6080, R6120, R6220, R6260, WNR1000v4, WNR2020 and WNR2050 are affected by stored XSS. CVE-2020-35840 and CVE-2020-35842
NETGEAR R7800 is affected by a buffer overflow by an authenticated user. CVE-2020-35786
NETGEAR D7800, R7500v2, R7800, R8900, R9000, RAX120, RBK50, RBR50, RBS50, XR500 and XR700 are affected by stored XSS. CVE-2020-35824 and CVE-2020-35830 and CVE-2020-35835
NETGEAR D7800, R7800, R8900, R9000 and XR700 are affected by disclosure of sensitive information. CVE-2020-35804 and CVE-2020-35838 and CVE-2020-35837
NETGEAR R6400v2, R6700v3, R6900P, R7000, R7000P, R7800, R7850, R7900, R7960P, R8000, R7900P, R8000P, RAX15, RAX20, RAX200, RAX45, RAX50, RAX75, RAX80, RBK752, RBR750, RBS750, RBK852, RBR850, RBS850, RBK842, RBR840, RBS840, RS400 and XR300 are affected by command injection by an unauthenticated attacker. CVE-2020-35798
---------
Just ... one ... week.

Critical bug in D-Link DSR VPN routers

D-Link VPN routers get patch for remote command injection bugs
by Ionut Ilascu of Bleeping Computer   December 8, 2020
No one makes money saying that newly discovered bugs are not that big a deal. So, this trio of D-Link bugs may or may not be a big deal, despite the fact that everyone says the sky is falling. To be clear, the most critical of the three bugs is indeed the worst possible type of flaw - anyone on the Internet can totally hack these routers. What is not said, however, is whether the web interface to these routers is exposed to the Internet by default. If not, this is much less of an issue. I suspect the web interface is not available remotely because if it was, the company that found these bugs would say so. Either way, D-Link should say something about this in their response, but, they do not. They don't care about security. Further proof about how little D-Link cares about security is the timeline. Three bugs were reported to them on August 11, 2020. Their first response was early December 2020. They fixed two of the bugs and consider the third not a real problem. The most critical bug can also be exploited on the LAN but VLANs can be used to limit access to the web based Admin interface. At least on good routers they can. I don't know if these routers support VLANs. The bugs affect the DSR-150, DSR-250, DSR-500 and DSR-1000.

NOVEMBER 2020

Avoid routers from Jetstream and Wavlink

Walmart-exclusive router and others sold on Amazon and eBay contain hidden backdoors to control devices
by Bernard Meyer of CyberNews.com   November 23, 2020
This expands on a problem first noticed in April 2020. Quoting: "In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of 'affordable' wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network ... the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks ... While Jetstream has an exclusive deal with Walmart, and is sold under other brand names like Ematic, there is very little information available about which Chinese company actually produces these products ... While Clee's original research (and follow-up) analyzed one Wavlink router, our new analysis shows that multiple Wavlink and Jetstream devices have now been shown to be affected. In fact, all of the devices that the team analyzed were found to contain backdoors.

Routers from Asus and TP-Link hacked at a hacking contest

Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020
by Eduard Kovacs of Security Week   November 9, 2020
Update: Dec 17, 2020: I am tracking the acknowledgment and/or fix for the Asus router on the News page. So far, nothing.
Update Nov 13, 2020: It appears that one of these articles was wrong. The Netgear router was not hacked. Also, the TP-Link router is not sold in the US.
The three routers that have been reportedly been hacked at the contest are the ASUS RT-AX86U, the TP-Link TL-WDR7660 and the NETGEAR Nighthawk R7800. Two bugs were found in the Netgear router. The bugs will be disclosed to the hardware manufacturers and hopefully fixes will be released. What no one will say is whether the same bugs exist in other routers from these companies.

OCTOBER 2020

The second critical flaw for SonicWall this year

800,000 SonicWall VPNs vulnerable to new remote code execution bug
by Catalin Cimpanu of ZDNet   October 15, 2020
SonicWall Network Security Appliances are used as firewalls and SSL VPN portals to control access internal and private networks. The Tripwire VERT security team discovered a bug that exists in almost 800,000 internet-accessible SonicWall VPN appliances. The bug is considered critical and is expected to come under active exploitation once proof-of-concept code is made publicly available. The underlying problem is a stack-based buffer overflow. To exploit the bug, bad guys do not need to have valid credentials. Oh, and the bug is trivial to exploit, even for unskilled attackers. This is SonicWall's second major bug this year. Patches are available.

JULY 2020

Asus router bug and insight into Asus itself

ASUS Router Vulnerable to Fake Updates and XSS
by Martin Rakhmanov of Trustwave   July 23, 2020
Rakhmanov found two bugs in the ASUS RT-AC1900P router and the company has fixed them. One bug (CVE-2020-15498) was that the firmware update process accepted software with forget server certificates. This would have let spies and hackers install their own firmware on their router. An attacker would have to be adjacent network-wise to the router to perform this man in the middle attack, but it could result in a full compromise of the router. The other bug (CVE-2020-15499) was an XSS in a dialog window of the admin interface. There are two things here that are very important, much moreso than the bugs themselves. Neither ASUS nor Rakhmanov said anything about other ASUS routers. It is very likely they too are vulnerable, but it is none of our business. Then too, there is the way Asus handled this. For one thing they never issued a security advisory. And, as we see below in the Revision History, they could not be bothered to tell Rakhmanov when they fixed the bug. And, when he asked they were not sure if they fixed one or both bugs.

Multiple D-Link router bugs

5 severe D-Link router vulnerabilities disclosed, patch now
By Ax Sharma of Bleeping computer   July 24, 2020
It is not clear from this story which routers are buggy. The research the story is based on is for a router that is End-of-Life (no more bug fixes, it's too darn old to bother with). The bugs are in the web interface to the router, as they often are. Best practices for router security is always to limit LAN side access to the router's admin interface, and, of course, to disable remote administration. I found one bug quite noteworthy. It lets a bad guy bypass the router password by adding a couple parameters to the HTTP request to the router. The same flaw was reported in 2010 and again in 2011. That tells you all you need to know about D-Link.

Way too many bugs in Cisco software

Cisco releases security fixes for critical VPN, router vulnerabilities
by Charlie Osborne for ZDNet   July 17, 2020
For the most part, I leave out Cisco bugs from this page because there are just too many of them. The number of critical bugs in Cisco software over the years has been far too high. I would not use their products. Cisco just released fixes for 34 bugs, five of which are the most critical in that they allow bad guys to get total control of vulnerable devices. One issue is the Telnet service in the Small Business RV110W Wireless-N VPN Firewall router. It has a default, static password that, if obtained by attackers, can lead to the full remote hijacking of a device. This is a mistake that can not be forgiven and not the first time Cisco has had hard coded passwords. A flaw in the management interface of the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers can be exploited to execute arbitrary code as the root user. This is a very common flaw, improper validation of input. Translation: lazy programmers. Same thing with the web interface of the Cisco RV110W VPN Firewall and RV215W VPN router.

Do not buy a router from Tenda

Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
by Sanjana Sarda of Independent Security Evaluators   July 10, 2020
Their research uncovered five bugs including two methods attackers can use to gain persistent unauthenticated root access to the router. They also found 7 open LAN side ports. Much of this article is focused on the specifics on the bugs and it leaves out the implications. Are the bugs exploitable LAN side or WAN side or both? Does a user have to be logged in to exploit the bug or not? Despite this, the article is very useful at the end. ISE first contacted Tenda in January 2020. Here, six months later, no response from Tenda at all. And, as always with router bugs, it is likely that similar flaws exist in other firmware versions and other Tenda routers.

JUNE 2020

79 Netgear devices are buggy and the company did nothing

SOHO Device Exploitation
by Adam of Grimm   June 15, 2020
Quoting: "This is just one more example of how SOHO device security has fallen behind as compared to other modern software ... As such, it’s trivial to overflow the stack buffer." The author found a pre-authentication stack overflow vulnerability in the Netgear R7000 router running firmware version 1.0.9.88. The vulnerability, which allows for remote code execution, has been present in the R7000 since it was released in 2013. But that is only the beginning. Adam was able to identify 79 different Netgear devices and 758 Netgear firmware images that included the buggy code. The oldest buggy firmware dated back to 2007. The vulnerability was reported to Netgear on May 7, 2020 and they seemed to have ignored it. Using assorted scripts, Adam created an exploit for each of the 758 buggy firmware images. Then, he tested his exploit on 28 of the vulnerable devices to ensure that it worked as expected. Among the confirmed buggy routers are the Netgear R6250, R6300v2, R6400, R7000, R8000, R8300 and the R8500. Criticizing Netgear he said "In addition to lacking stack cookies, the web server is also not compiled as a Position-independent Executable (PIE), and thus cannot take full advantage of ASLR. As such, it’s trivial to find a ROP gadget within the httpd binary ... that will call system with a command taken from the overflown stack."

Bugs in a very old D-Link router

D-Link leaves severe security bugs in home router unpatched
by Ionut Ilascu of Bleeping Computer   June 12, 2020
The D-Link DIR-865L router was released in 2012 and is no longer supported for U.S. consumers. However, on the website for European countries, the status is "End of Sale" which means that it can no longer be purchased but it is still supported by the vendor. Researchers at Palo Alto Networks' Unit 42 found and reported six security vulnerabilities in the DIR-865L in late February 2020. Now, over three months later, D-Link released beta firmware that fixes three of the six flaws. Two bigger issues: 1) What about other models? Unit 42 warned that newer routers may be vulnerable to the same flaws because they share a common code base. A good router vendor will check for the same flaw in all their products. A bad router vendor will not. The response from D-Link said nothing about any other models. 2) Who cares about such an old router? Why is Unit 42 even looking at ancient consumer devices? In the US, the DIR-865L went out of support in Feb. 2016.

APRIL 2020

Wavlink does not respond to security flaws - another brand to avoid

Multiple Vulnerabilities in Wavlink Router leads to Unauthenticated Remote Code Execution
by James Clee   April 18, 2020
Clee started a new hobby - buying cheap Chinese technology to see what he could find out about security. He startee with the Wavlink WL-WN530HG4 which sells for $30. An interesting read that resulted in CVE-2020-10971 and CVE-2020-10972. He found back doors and miserable password verifications. Quoting: "... so an attacker with the right background information about the device could achieve RCE fairly easily." Worse, is that he attempted multiple times to contact Wavlink using several different support contacts and they ignored him. This is not a company you want to deal with.
A few days later he wrote about the Wavlink WL-WN579G3 and WL-WN579A3 Wi-Fi Extenders. They were just as bad as the router. He found that lots of web pages are externally accessible without authentication and they contain sensitive data. He could get the username and password without authenticating to the devices. Once again, Wavlink did not respond to any of his attempts at communication.

Sophos quickly issues patch for their firewalls

Hackers are exploiting a Sophos firewall zero-day
by Catalin Cimpanu for ZDNet   April 26, 2020
Bad guys were found to be attacking a previously unknown SQL injection vulnerability in the Sophos XG enterprise firewall. Sophos learned about the problem on April 22nd when a customer reported something strange. They published an emergency security update on April 25th. The firewalls can self-update, though I doubt every user has that enabled. No surprise to learn that vulnerable firewalls had either their administration or User Portal control panel exposed to the Internet. The bug let bad guys steal files from the XG firewall, and those files could include usernames and hashed passwords for the firewall administrator, for the firewall portal admins and for user accounts used for remote access to the device. Bad guys could also learn the firewall's license and serial number, and see some user emails. Sophos researchers named the malware Asnarok. From what I have seen, the Sophos response was great. You could not ask for more. Not only did they fix the bug quickly, they also documented the heck out of the issue.

MARCH 2020

Multiple issues with OpenWRT

Uncovering OpenWRT remote code execution (CVE-2020-7982)
by Guido Vranken of ForAllSecure   March 24, 2020
The OpenWRT package manager, opkg, does not check the SHA256 hash of anything it downloads. This is compounded by it downloading updates over HTTP rather than HTTPS. In addition, the opkg unpacker is buggy; malformed data leads to a variety of memory violations. opkg on OpenWrt runs as root with write access to the entire filesystem, so arbitrary code could be injected by means of forged .ipk packages with malicious payloads. Also vulnerable is the LEDE fork of OpenWRT. One of the bugs was introduced in February 2017. Fixes are available.

Two Zero Day bugs in DrayTek routers (Updated)

A mysterious hacker group is eavesdropping on corporate email and FTP traffic
by Catalin Cimpanu of ZDNet   March 28, 2020
According to Netlab, the network security division of Chinese security firm Qihoo 360, bad guys have been hacking into DrayTek routers to eavesdrop on FTP and email traffic. They first observed this in early December 2019. There are two different zero-day flaws in three DrayTek Vigor devices, the 2960, 3900 and 300B. The bugs could allow for arbitrary code execution on a vulnerable system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts. One flaw is in the login mechanism and it allows attackers to hide malicious code inside the router's username field. This malicious code can grant the hackers control over the router. Next, the attackers started recording traffic coming to port 21 (FTP), 25 (email), 110 (email) and 143 (email). These are four very old protocols and they still use plain text. It is assumed the attackers were looking for FTP and email passwords. The second flaw is in the "rtick" process and attackers used it to create backdoor accounts on the hacked routers. Qihoo says that around 100,000 vulnerable DrayTek devices are online. DrayTek issued updated firmware six days after they learned of the problem. And, DrayTek impressed me with this " The issue only affects the Vigor3900 / 2960 / 300B and is not known to affect any other DrayTek products". This is rare, vendors usually fix only the devices with the reported problem.

Multiple flaws in multiple Netgear routers

Thousands of Netgear routers are at risk of getting hacked: What to do
by Paul Wagenseil of Toms Guide   March 5, 2020
Nearly 50 Netgear devices need firmware patches ASAP. The devices are seven modem-router gateways, 40-odd routers (including some Nighthawk and Orbi models) and one range extender. The worst of the flaws lets attackers remotely install malware on one router. A "pre-authentication command injection security vulnerability" on five routers could also lead to total network takeover. For a number of the flaws Netgear has not provided specific details. Does your Netgear router need an update? Turns out, this is a hard question to answer. Netgear does a terrible job of communicating to its customers what each router's model number is. They hardly ever use the actual model number in their consumer marketing and packaging. For example, the AC4000 Nighthawk X6S Tri-Band WiFi Router is the R8000P. To find the model number, turn the device over and look at the sticker on the bottom. The update procedure differs among the various routers. The article has a full list of the buggy router model numbers.

JANUARY 2020

Millions of Internet boxes are vulnerable

Cable Haunt
by Lyrebirds ApS   January 11, 2020
Bad news: untold millions of devices are vulnerable. Good news: it is not easy to exploit the bug. Bad news: despite all the headlines, it is not only modems that are vulnerable, so too are gateways (combination modem/router). Bad news: In the US, this will never be fixed. ISPs are virtual monopolies and thus have no reason to do a good job. Fixing this takes time, effort and money and few very customers will ever learn about it. I tried to get a response from Spectrum, it was a waste of time. The company that found the flaw offered a tester script for Linux that seems useless. They also offered some JavaScript that can copied and pasted into a browser console to test if your Internet box is vulnerable. With their JavaScript, I confirmed that the Netgear CM600 modem is vulnerable. They leave out that you need to copy/paste their Javascript as a whole, not each line individually. And, you may need to change the port number, which is why I suggest using nmap below. Netgear only offers free tech support for the first 90 days, so I can not ask them about this. Not that it matters, modem firmware can only be updated by an ISP, at least in the US.
What to do?
I suppose you could try and learn the firmware version that your modem or gateway is running and then try to find out if it has been patched for the Cable Haunt flaw. In the US, this is almost definitely a waste of time.
First, see if your Internet box uses Broadcom. If not, you are safe. The Toms Guide article below has links to pages that show this for Arris and Netgear devices. For other companies see approvedmodems.com. If that fails, perhaps look for the technical specs of your modem or gateway. Maybe try to contact the hardware manufacturer. If Broadcom ...
If you have a router/modem combination box, run nmap on the LAN side IP address looking at all 65,535 TCP ports. If you have a router and a modem as stand-alone devices, run the same nmap against 192.168.100.1. After the nmap scan, try to use HTTP and HTTPS to access every open port. The buggy Spectrum Analyzer looks like this on a Netgear modem. Found a Spectrum Analyzer? If so, nag either your ISP or the hardware vendor for fixed software. Lotsa luck (probably won't happen). Better yet, block access to the buggy device. If its a combination modem/router, there should be some sort of LAN side restrictions about which devices can logon to the box. For more, see the Security Checklist page here, the section on Local Administration. If you have a router and a modem as separate devices, you need a nerd to configure a defense. One option is something called a static route - some routers let you configure this, some do not. If your router supports firewall rules (rare), see my blog below about creating an outbound firewall rule to block modem access. As a rule consumer routers, such as AmpliFi from Ubiquiti or Google WiFi do not offer outbound firewall rules.

2019

DECEMBER 2019

Multiple bugs in Ruckus Access Points

A ton of Ruckus Wireless routers are vulnerable to hackers
by Zack Whittaker of TechCrunch   December 28, 2019
Despite the headline, the buggy devices are Access Points not routers. Security researcher Gal Zror discovered 10 bugs in Ruckus devices. Three are biggies. They are in the web interface of the Unleashed line of APs. The flaws let a bad guy take complete control of a vulnerable router remotely and without needing a password. As bad as bad gets. Patches have been issued but the routers do not self-update. Ruckus Cloud access points are not buggy. Neither are their SmartZone-enabled devices. This was made public at a presentation at the 36th Chaos Communication Congress called Lecture: Don't Ruck Us Too Hard - Owning Ruckus AP Devices. This surprised me. For one, its the first mention of Ruckus in my list of bugs. Second, Ruckus is a high end company. Then again, Cisco is also high end and their software has a terrible track record when it comes to bugs and flaws and vulnerabilities.

More buggy D-Link routers

D-Link DIR-859 —Unauthenticated RCE (CVE-2019–17621)
by Miguel Méndez Z.   Decembe 24, 2019
Back in Oct. 2019, we learned of a Remote Code Execution bug in a single D-Link router, the DIR-859 (CVE-2019-17621). The bug could be exploited by anyone on the LAN to take full control of the router. Of course, many routers from the same company share the same firmware (operating system) so it was not a surprise when, in Nov. 2019, we learned that many more D-Link routers share the same bug. Some of the buggy routers are too old and will not be updated. Some have already had fixes released. Still more, are slated to have fixes released soon. These are the buggy models: DIR-818Lx DIR-822, DIR-823, DIR-859, DIR-865L, DIR-868L, DIR-869, DIR-880L, DIR-890, DIR-885, DIR-895. In some cases, the router firmware must be updated twice. Ugh. The vulnerability is in the code used to manage UPnP requests.

Four buggy TP-Link routers

TP-Link Archer Router Vulnerability Voids Admin Password, Can Allow Remote Takeover
by Grzegorz Wypych and Limor Kessem of IBM X-Force Red   December 16, 2019
There are critical bugs in the TP-Link Archer C5 v4, Archer MR200v4, Archer MR400v3 and the MR6400v4. Are other TP-Link routers safe? Don't know. No one said anything about other routers having been tested. The bug lets a bad guy take full admin control of the router. First, the bad guy has to trick the router as to the source of a login request. This is not hard. Then, the bad guy simply has to provide a password that is the wrong length. If the password is too short, it locks out access to the router. If the password is too long, it voids the current password letting the bad guy login without a password. TP-Link never fails to impress. Firmware updates are available. However, as the article below by Paul Wagenseil details, the firmware update process is miserable. The Archer MR200, MR400 and MR6400 are LTE-based routers sold in the European Union. The Archer C5 AC1200 is a home Wi-Fi router, sold in many countries.

NOVEMBER 2019

More buggy D-Link routers that will not be fixed

D-Link Adds More Buggy Router Models to 'Won’t Fix' List
by Tom Spring of ThreatPost   November 19, 2019
A new bug in D-Link routers will not be fixed because the routers are too old to bother with (they are End-of-Life or EoL). The bug allows a bad guy, who does not know any passwords, to access the web configuration interface of the router. The buggy devices are: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862. D-Link suggests disabling remote administration, resetting the affected routers and using a complicated router password. It is not clear if this bug is similar to the bug (CVE-2019-16920) that FortiGuard Labs reported last month. That bug impacted 10 of the same routers. Spring puts this bug in perspective, noting a long history of bugs in D-Link routers. A September 2019 bug can leak passwords. A May 2019 bug allowed DNS hijacking. In 2017, we learned that the D-Link DIR-130 was one of 25 routers that could be exploited by the CIA. Also in 2017, the 850L and AC1200 had multiple vulnerabilities that could allow a hacker to gain remote access and control of device.

Zero Day flaw in the D-Link DIR-878 router. Others too?

Tianfu Cup Round-Up: Safari, Chrome, D-Link Routers and Office 365 Successfully Hacked
by Elizabeth Montalbano of ThreatPost   November 18, 2019
Hackers, at the annual Tianfu Cup gathering over the weekend, successfully compromised the D-Link DIR-878 router using a zero-day vulnerability. Note the plural use of the word hackers. The router was hacked by seven, yes, seven, different groups. It has been a few days and, so far, no response from D-Link on their security bulletin page. Will they acknowledge the flaw? Will they fix it? Time will tell. The bigger picture, however, involves other D-Link router. It is likely that other similar routers share the same buggy software. And, some recent history: in March 2019 the German Federal Office for Information and Security (BSI) issued a warning about bugs in the DIR-878 and the DIR-825. The bugs are easily exploited and let attackers bypass the logon processes and execute malicious code.

OCTOBER 2019

Ten D-Link routers that should be thrown away

Multiple D-Link routers vulnerable to remote command execution
by US Cert   October 23, 2019
These 10 D-Link routers are buggy, will not be fixed and should be thrown away: DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and the DIR-825. A remote, unauthenticated attacker may be able to execute commands with root privileges on a buggy router. This can happen as the result of viewing a specially-crafted web page. The bug was publicly disclosed by Fortinet's FortiGuard Labs, same as below. This appears to be the same bugs as below, just that is has been found in six more routers.

D-Link won't fix bugs in four of its routers

D-Link Won't Fix Serious Security Flaw on Four Wi-Fi Routers
by Paul Wagenseil of Tom's Guide   October 8, 2019
Beware the D-Link DIR-652, DIR-655, DIR-866L and DHP-1565 routers. They have critical bugs. An attacker halfway across the world could hijack these routers without needing a password. Everyone suggests throwing these routers away. I agree. End of Life is the techie term for the computing devices that are too old to bother with. As Seinfeld might have said: No bug fixes for you! Manufacturers win twice with routers that are deemed EoL: they don't have spend money fixing bugs and they motivate customers to buy new routers. Usually EoL devices are no longer sold. Not so with D-Link. Three of them can still be bought new from third-party sellers on Amazon's U.S. website. Is the same bug in any other D-Link routers? None of our business. Fortinet, which found the bug, does not say which or how many routers they tested. And, the D-Link response is limited to these four routers with no mention of any others.

SEPTEMBER 2019

Bugs Bugs Bugs - 125 in all

SOHOpelessly Broken 2.0
by Independent Security Evaluators   September 16, 2019
My summary is on the News page.

Here we go again - another LAN side protocol available on WAN

Protocol used by 630,000 devices can be abused for devastating DDoS attacks
by Catalin Cimpanu of ZDNet   August 27, 2019
Just as with UPnP all those years ago, routers (and IoT devices) are exposing a protocol meant exclusively for LAN-side use to the Internet at large. This time the protocol is WSD (a.k.a. WS-Discovery and Web Services Dynamic Discovery). Bad guys abuse WSD to create DDoS attacks. WSD listens on UDP port 3702 (some articles also referenced TCP port 3702). Like UPnP, WSD is a protocol for LAN side devices to discover each other and their capabilities. Is there a printer in the house? WSD communication starts with requests to the IPv4 multicast address 239.255.255.250. IPv6 uses FF02::C (link-local scope). Being exposed to the WAN is only one bug, the other is that devices should only respond to requests to these two IP addresses. WSD responses sometimes come from port 3702, sometimes from random high numbered ports. Akamai noted that most vulnerable devices were CCTV cameras and DVR systems. No article said anything about the failure of the routers to block these vulnerable devices. UPnP haunts us still.

AUGUST 2019

Four router vendors refuse to fix bugs

Cross-Router Covert Channels
by Adar Ovadya, Rom Ogen, Yakov Mallah, Niv Gilboa and Yossi Oren of Ben-Gurion University   August 2019
Researchers at Ben-Gurion University found multiple ways to communicate between the two Wi-Fi networks typically offered by a router. They refer to these two networks as Host and Guest, most people refer to them as Private and Guest. The research was presented at the 13th USENIX Workshop on Offensive Technologies (WOOT). They tested routers from TP-Link, D-Link, Edimax and Linksys and all the companies refused to fix anything. Quoting: "We sent a draft of our findings to the manufacturers of the routers ... during May 2019. During June 2019 the Belkin/Linksys security response team notified us that they do not intend to fix the vulnerability we disclosed. None of the other router vendors responded to our disclosure". As I say elsewhere on this site, don't use a consumer router. The bugs are pretty obscure. For example, on some routers, a DHCP NAK from one network is erroneously sent to the other network which can be used to send a small amount of data to the other network. They also discovered that quickly joining and leaving an IGMP group from the Private network caused an IGMP Membership Query packet to be sent to both the Private and Guest networks. This too can be used transfer data between the two networks. There were also some timing attacks.

Bugs found in multiple 4G Hotspots

Reverse Engineering 4G Hotspots for fun, bugs and net financial loss
by G Richter of Pen Test Partners   August 10, 2019
A 4G hotspot is a router. The biggest difference is that it connects to the Internet via 4G rather than an Ethernet cable. Pen Test Partners found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code execution. The vendors involved were generally poor at responding to disclosure attempts. ZTE was the worst, they responded that a device was end of life, so the bugs would not be fixed ... yet they were still selling it from their own online store! They also found bugs in Netgear and TP-Link devices.

JUNE 2019

Critical bugs in four TP-Link Wi-Fi Range Extenders

Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
by Grzegorz Wypych of Security Intelligence   June 18, 2019
Four TP-Link Wi-Fi extenders have a critical remote code execution (RCE) vulnerability. The bug lets a remote attacker get complete control over the device. The attacker does not need to login or authenticate to the device to exploit the bug. The problem is triggered with a malformed user agent field in HTTP headers. The buggy devices are the RE365 (sold in Europe), the RE650 (sold in the US, UK and Canada), the RE350 (same 3 countries) and the RE500 (sold in the US and Canada). Patches have been issued but device owners have to manually download them and install them. First, they have to insure the correct hardware version for the available firmware, then they have to get the firmware for their country. All processes on these devices run with root-level access which is just asking for trouble.

Still another critical bug in Cisco software

Cisco IOS XE Software Receives Fix Against High-Severity Flaw
by Ionut Ilascu of Bleeping Computer   June 13, 2019
Far too much of this web page is devoted to bugs in Cisco software. They just released an updated version of their IOS XE operating system to patch a high severity bug - insufficient cross-site request forgery (CSRF) protections in the web-based user interface of the software. The bug can be exploited by an unauthenticated, remote attacker who could persuade an already logged in user of the web interface to follow a malicious link. The link could then perform arbitrary actions with the privilege level of the victimized user. If the victim is an administrator, bad guys could modify the configuration, run commands and even reload a vulnerable device. The good news is that a victim has to be logged in to the system before they can be exploited. Also, exploitation requires the HTTP Server feature to be active and it is not always active by default (this is version dependent).

MAY 2019

Cisco screws up for the millionth time

Thrangrycat   by Red Balloon Security   May 21, 2019
Take a look at the bugs tracked on this site. Lots of Cisco issues over the last few years. Paraphrasing Red Balloon: There are two bugs that affect about 150 different Cisco devices. The first, known as Thrangrycat, allows an attacker to fully bypass the Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. This is due to multiple hardware design flaws in the TAm. The second is a remote command injection vulnerability against IOS XE version 16 that allows remote code execution as root. By chaining these, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm. The TAm is a proprietary Cisco hardware security module. It is the root of trust that underpins all other Cisco security mechanisms. Thrangrycat allows an attacker to make persistent modification to the TAm, thereby defeating the secure boot process and invalidating the chain of trust at its root. While the flaws are based in hardware, they can be exploited remotely. Since the flaws involve the design of the hardware, it is unlikely that any software patch will fully resolve the fundamental issues. Cisco released a patch for IOS XE and provided the Cisco IOS Software Checker to identify vulnerabilities in Cisco IOS and IOS XE. Cisco is working on patches for Thrangrycat, but notes that the patch will not be a straightforward update for most devices but instead will require "on-premise[s] reprogramming of a low-level hardware component." Patches for many routers, switches and network interface modules will be released between May 2019 and November 2019. As for detection and mitigation, Red Balloon will present this in a talk at BlackHat USA 2019.

TP-Link publicly shamed

Thousands of vulnerable TP-Link routers at risk of remote hijack
by Zack Whittaker of TechCrunch   May 22, 2019
Thousands of TP-Link routers are vulnerable to a bug, and it took more than a year for TP-Link to publish the patches on its website. They created the patches, they just didn't publish them. The bug lets a low-skilled attacker to get full remote access to a vulnerable router. The bug was first disclosed to TP-Link in October 2017. Shortly thereafter, they released a patch for the WR940N router. But, the WR740N was vulnerable to the same bug and no patch was released for it. TP-Link was warned about this in January 2018, yet ... nothing until they were publicly shamed by TechCrunch.

Linksys found to be both incompetent and unconcerned with security

Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
by Troy Mursch   May 13, 2019
Thirty three Linksys routers are buggy and Linksys will not fix it. They tried to fix it five years ago, but they screwed that up. Yet another confirmation of the opinion I offered on this site from the get-go back in 2015 - avoid consumer routers. The flaw affects Linksys Smart Wi-Fi routers. It allows unauthenticated remote access to sensitive information and its easily exploited by bad guys with little technical knowledge. The routers leak information both about themselves and about every (yes, every) device that has ever connected to them. For connected devices, Linksys always leaks the MAC address, Device name ("TROY-PC") and Operating system. Sometimes it also leaks the device type, model number, and a description of the attached device. As for router information, it leaks the model number, hardware version, serial number, firmware release level, MAC address, the LAN side IP address, WAN settings, firewall status and DDNS settings. Leaking the MAC address lets bad guys determine the physical location of the router. Data provided by BinaryEdge, shows that 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public. Among the 33 buggy models are the E4200, EA2700, EA5800, EA6900, EA7300, EA8500, EA9200, WRT1900AC, WRT3200ACM, XAC1900 and WHW03 Velop. The full list is here. This is yet another in a long line of HNAP bugs. The bug can also reveal if a router is using the default password (thousands are) without even trying to login. The worst part is that Linksys tried to fix this five years ago but clearly screwed that up. Then, when contacted about it recently, they had no interest in fixing it properly. Yes, if you disable remote web access you block the information leak. However, Linksys Smart Wi-Fi routers require remote access for the Linksys App to function.

APRIL 2019

29 new Cisco Bugs

Cisco warns over critical router flaw
by Liam Tung of ZDNet   April 18, 2019
Cisco has disclosed 29 new vulnerabilities, 5, 6 or 7 of which are doozies. Its too much for tech reporters to digest. One of the critical bugs is in the ASR9000 Series Aggregation Services Routers. The bug is as bad as bad gets, it can be exploited remotely by a bad guy without a password. There is a patch and a workaround. The other critical bugs affect Cisco Wireless LAN Controller software. Another bug is in the Cisco Expressway Series and Cisco TelePresence Video Communication Server. Another biggie is in Cisco Aironet Series Access Points. Finally, there is a critical bug in the Cisco Cluster Management Protocol code in Cisco IOS and Cisco IOS XE. As with the first bug a remote bad guy without a password can obtain full control of vulnerable devices. If the devices accept Telnet connections, a bad guy who sends malformed Telnet options while establishing a connection can execute arbitrary code. The Threatpost article below offers some context, noting that earlier this month, Cisco re-patched flaws for two high-severity bugs after their first attempt was botched. And, they reported two new router bugs with no fixes or workarounds. Just what you want in a router vendor.

TP-Link, yet again

Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control
by Grzegorz Wypych and Limor Kessem of IBM Security Intelligence   April 8,2019
There is a buffer overflow flaw in the TP-Link TL-WR940N and TL-WR941ND routers. No other models were tested, so it is likely that others in the same family are vulnerable too. These models are old (they are 300Mbps Wi-Fi N) and have been discontinued. The bug allows bad guys to take control of the device from a remote location. Sounds worse than it is. You have to already be logged on to the web interface to exploit the flaw. And, the flaw is in the web interface, so if Remote Administration is disabled, as it often is, then it can not be exploited from overseas. TP-Link issued patches. Why are so many of these reports about ancient routers? Perhaps because if you break a $30 router while hacking it, no big deal.

Three bugs in a Verizon FIOS router

Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities
by Tenable Research   April 9, 2019
Tenable has discovered 3 vulnerabilities in the Verizon Fios G1100 Quantum gateway/router. A Command Injection flaw can only be exploited by a user already logged on to the device. It is exploitable from the LAN side and remotely if Remote Administration is enabled. Because HTTPS is not enforced in the web interface, an attacker on the LAN side can intercept login requests using a packet sniffer and then replay the requests to get admin access to the web interface of the router. Packet sniffing a login request also provides a salted password hash (SHA-512). An unauthenticated attacker can retrieve the password salt simply by visiting a URL in a web browser. Thus, an attacker could perform an offline dictionary attack to recover the original password. Of course, the focus on passwords is because insecure firmware, like this, always uses the same userid. By now, most Verizon FIOS customers should have the updated firmware. If you have a G1100 you should verify this. The real lesson here is not use hardware from an ISP. See the Disclosure Timeline in the first article below and judge the Verizon repsonse for yourself.

MARCH 2019

TP-Link ignores a security problem

TP-Link 'smart' router proves to be anything but smart - just like its maker: Zero-day vuln dropped after silence
by Thomas Claburn of The Register   March 28, 2019
90 days ago Matthew Garrett, a Google employee, informed TP-Link of a bug in their all-in-one SR20 Smart Home Router. TP-Link ignored the problem. To me, this is the more important issue, much more interesting than the bug itself. Garret wrote: "I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by the "Detailed description" field being limited to 500 characters. The page informed me that I'd hear back within three business days - a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back." The SR20 is a combination Zigbee/ZWave hub and router. Ignoring security problems is one of three mistakes TP-Link made. They also ship devices with debug daemons, software intended for testing, that does not belong in a released product. The software is the TP-Link Device Debug Protocol (tddp) and it has had multiple vulnerabilities in the past. This bug allows allows arbitrary command execution, as root, without authentication, from devices on the LAN. TDDP listens on the WAN side too, but the default firewall configuration blocks it there. To better control access to the router from LAN-side devices see the Local Administration section of my security checklist. Garrett also said that @CoreSecurity had the same experience when they reported TDDP flaws.

FEBRUARY 2019

Bugs in two D-Link routers found by the BSI in Germany

D-Link investigates router vulnerability after German security agency warning
by CET news   March 1, 2019
D-Link is investigating bugs in the DIR-825 and DIR-878 after a warning from the German Federal Office for Information and Security (BSI). The BSI assigned a severity rating of "high". The bugs allow attackers to bypass the logon processes and execute malicious code. The bugs are easily exploited. The DIR-825 got its last update in 2015, the DIR-878 was last updated in August 2018. My guess (time will tell) is that these bugs will not be fixed.

JANUARY 2019

Can Cisco be trusted?

Multiple vulnerabilities in Cisco Identity Services Engine (Unauth XSS to RCE as root)
by Pedro Ribeiro of Agile Information Security and Dominik Czarnota   First published Jan 20, 2019, Last Updated Feb 5, 2019
I don't care much about the details here, and the bugs are not in a router. But Cisco makes routers and the bigger issue, to me, is just how trustworthy Cisco is. They appear on this bug list often. Would you buy a router from them? Quoting: "ISE is distributed by Cisco as a virtual appliance. We have analysed version 2.4.0.357 and found three vulnerabilities ... By putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the page vulnerable to the stored cross site scripting." Agile dealt with Cisco about these bugs and it did not go well, leading to Ribeiro saying "These actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execution, with a fully working public exploit and no way to track fixes or fixed versions for these vulnerabilities." Ouch.

Three bugs in two Cisco routers

Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
a Cisco Security Advisory   January 23, 2019
This happened fast. In September 2018, three bugs were reported to Cisco by German security firm RedTeam Pentesting. Cisco released patches for the bugs on January 23, 2019. The next day, proof of concept software was released that exploited the bugs. The day after that, bad guys were scanning for vulnerable Cisco routers. The bugs are exploitable on both the LAN and WAN side using just HTTP and/or HTTPS GET requests. The first two bugs expose information about the router to anyone who asks - no password is needed. One of these bugs exposes the Admin password. With that, bad guys can abuse the third bug to run any Linux command on the box. The vulnerable URLs are
   http://1.2.3.4/cgi-in/config.exp   and
   http://1.2.3.4/cgi-bin/export_debug_msg.exp
where 1.2.3.4 is either the LAN side or WAN side IP address of the router. The bugs are CVE-2019-1653 and CVE-2019-1652. The Cisco RV320 and RV325 routers are popular among both ISPs and large enterprises. On the WAN side, the web interface is exposed on TCP port 8007. Information about attacks on these bugs is on the News page.

Many Cisco switches have a backdoor account

Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
by Tara Seals of Threatpost   January 18, 2019
These Cisco Small Business switches are vulnerable to full remote takeover thanks to a backdoor account: the 200 and 250 Series Smart Switches, the 300 and 350 Series Managed Switches, the 350X, 500 and 550X Series Stackable Managed Switches. There is no patch, but there is a work-around. The most interesting question is whether this is a bug or a feature. It looks like a bug in that it has an official CVE number (CVE-2018-15439) and a critical base CVSS severity rating of 9.8 (really bad). The devices ship with an in-built privileged user account that is used for the initial login. This account can not be removed. It is defined in a software-internal data structure and its not visible in either the running configuration or the startup configuration of an affected device. Bad guys can use this account to log in to a vulnerable device and execute commands with full admin privileges. The work-around is creating a user account with access privilege level of 15 (or higher?). But, if that account gets deleted, the hidden one works again, without notifying system administrators. It sure feels like a back door that can be easily hidden in case the virtual cops are coming. Why else hide the existence of this in-built account? Also, there have been many other backdoors discovered in Cisco software over the last year or so. It has been about 3 months and still no patch.


To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.

           


Top 
Page Created: February 4, 2015      
Last Updated: September 9, 2022 9PM CT
Viewed 746,520 times
(269/day over 2,775 days)     
Website by Michael Horowitz      
Feedback: routers __at__ michaelhorowitz dot com  
Changelog
Copyright 2015 - 2022