DECEMBER 2017
Security flaw in the GoAhead web server
GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear
by Shaun Nichols of The Register December 20, 2017
We have seen this movie before. Web server software included in routers and IoT devices is buggy and easily exploited. Bug fixes are available but many/most vulnerable devices will never get updated. The web server software is GoAhead from a company called Embedthis which says "GoAhead is the world's most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of ... devices and applications. For example: printers, routers, switches, IP phones, mobile applications, data acquisition, military applications and WIFI gateways."
Embedthis publicly documented the flaw (see below) on June 12, 2017. The bug was fixed in version 3.6.5 which has been available since then. Security firm Elttam, which found the flaw, blogged about it and provided technical details on Dec. 18, 2017. Counts of Internet accessible devices running the GoAhead server number over 500,000 but they are not all vulnerable. For one thing, the bug is in CGI and Embedthis claims that many of their customers do not use CGI. They claim to have been discouraging its use for more than 10 years. CGI is slower, bigger and less secure than competing services: in-memory scripting and URL-to-C binding. In addition, vulnerable CGI programs have to be dynamically linkable and quite a few devices use statically linked binaries instead.
A bug in Huawei HG532 router
Huawei Home Routers in Botnet Recruitment
by Check Point Research December 21, 2017
A Zero-Day vulnerability in the Huawei HG532 router was discovered by Check Point Researchers, who also saw thousands of attempts to exploit it in the wild. The malware bad guys are installing on vulnerable routers is called OKIRU/SATORI, a variant of Mirai. They saw attacks running over port 37215 exploiting a bug the Universal Plug and Play (UPnP) protocol, via the TR-064 standard. The real news here is that the same bug was reported in 2013 in the Huawei HG523a and HG533 routers. For more, see the Router News page for March 2019.
Netgear WiFi Family website hacked for two years
Vigilante Removes Malware from Netgear Site After Company Fails to Do So for 2 Years
by Catalin Cimpanu of Bleeping Computer December 15, 2017
A few years ago, Netgear created a website, www.wififamilyblog.com, that had articles on the usage of various Netgear technologies. The site was based on WordPress and not secured correctly. As a result, the site has been compromised since February 2015. Scammers abused the site to send spam that directed people to fully functional fake tech support sites that were hosted on the WiFi Family site. After this got publicity, the website was finally taken offline on December 16, 2017.
NOVEMBER 2017
Still more Good News, Bad News with Netgear
NETGEAR Security Advisories from Netgear
The good news is that Netgear seems to be on the ball, fixing bugs in their router software.
The bad news is that there are sooooooooooo many bugs.
Last month, I summarized the bug reports, this month, they are listed below.
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2156
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2153
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2152
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2150
11/22/2017 Security Advisory for Authentication Bypass on Routers, PSV-2017-2148
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2147
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2146
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2145
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2144
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2141
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2139
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2138
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2136
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2135
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2134
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0096
11/21/2017 Security Advisory for Authentication Bypass on R6300v2, PLW1000v2, and PLW1010v2, PSV-2016-0069
11/21/2017 Security Advisory for Authentication Bypass on Some Routers and Gateways, PSV-2016-0061
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2154
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2143
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2142
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2140
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers and Extenders, PSV-2017-0706
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0670
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0615
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0335
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2017-0331
11/21/2017 Security Advisory for Authentication Bypass on Some Routers, PSV-2017-0330
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0324
11/21/2017 Security Advisory for Stored Cross-Site Scripting on Some Routers, PSV-2017-0323
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2016-0256
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0253
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0115
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2016-0104
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2016-0101
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2133
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2017-2517
11/21/2017 Security Advisory for Arbitrary File Read on Some Routers and Extenders, PSV-2017-0319
11/20/2017 Security Advisory for Security Misconfiguration on Routers, PSV-2017-2124
11/20/2017 Security Advisory for Pre-Authentication Buffer Overflow on Routers, PSV-2017-0791
11/20/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0329
11/20/2017 Security Advisory for Cross Site Request Forgery on Routers and Modem Routers, PSV-2017-0333
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-2756
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0120
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2017-2157
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on R8300 and R8500, PSV-2017-2227
11/16/2017 Security Advisory for Post-Authentication Stack Overflow on R8000, PSV-2017-2229
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2451
11/16/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2017-2212
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2210
11/16/2017 Security Advisory for Denial of Service on Some Routers, PSV-2017-0648
11/16/2017 Security Advisory for Arbitrary File Read on DST6501 and WNR2000v2, PSV-2017-0425
11/16/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0320
11/15/2017 Security Advisory for Cross Site Request Forgery on Extenders, PSV-2016-0130
11/15/2017 Security Advisory for Arbitrary File Read on Routers and Extenders, PSV-2016-0122
11/15/2017 Security Advisory for Post-Authentication Buffer Overflow on Powerlines and a Router, PSV-2016-0121
11/15/2017 Security Advisory for Stored Cross Site Scripting on Routers, PSV-2016-0100
11/15/2017 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2017-0424
ZyXEL routers being attacked
Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323
by Li Fengpei of Qihoo 360 Netlab November 24, 2017
A new variant of the Mirai botnet has been detected, mostly in Argentina. It attacks ports 23 and 2323 on ZyXEL devices that have a default userid/password. This, gets the bad guys into the devices, then a second vulnerability (CVE-2016-10401), a hard coded superuser password, gives them root privileges. Game over. On ZyXEL PK5001Z devices, zyad5001 is the superuser password. Almost 100,000 infected devices were detected in Argentina, specifically in the network of Telefonica de Argentina. Obviously, they shipped devices with default passwords. Re-booting an infected device should remove any malware.
TP-Link firmware lags in Europe
TP-Link serves outdated or no firmware at all on 30% of its European websites
by Daniel Aleksandersen on his personal blog November 20, 2017
TP-Link has 60 country-specific websites around the world, 24 in Europe. Aleksandersen bought a TP-Link RE650 repeater and noticed that his Norway TP-Link website was two firmware releases behind the neighboring countries of Denmark and Sweden. So, he looked at how each of the 24 European websites ranked in terms of available firmware releases. He investigated nine TP-Link products sold in Europe, and checked the available firmware in each website, a total of 216 data points. Only 6 countries had the latest firmware versions available for all nine products. Put another way, there are problems on 75% of TP-Links European websites. He found the most recent European firmware was as much as a year out of date compared to the US firmware. And, there does not seem to be a good reason for this. The changelogs for the newer American firmware showed updates that were not region specific in any way.
Adding insult to injury is the firmware update process. None of the TP-Link devices self-update. Worse still, the company does not contact their customers to tell them of newly released bug fixes. There are no emailing lists or syndication feeds. Nuttin.
Aleksandersen wonders why TP-Link even has 24 websites. He says there is no need for country specific firmware for Wi-Fi networking equipment within the EEA-single-market. He found that ASUS, Linksys, Netgear, and others have a single global firmware download; or two-three regional variants at the most, all being offered on the same download page.
Finally, he writes "We're a month in to the KRACK Attack vulnerability disclosure, and TP-Link hasn't yet released updates for any of their products ... Stay well away from TP-Link products if you're any bit conscious about the security of your devices." As I say, avoid all consumer routers.
ISP in Ireland has to replace modems. Good for Ireland. Would never happen in US
Eir forced to replace 20,000 modems over security concerns
by Pater Hamilton of Irish Times November 6, 2017
Last year, Eir contacted about 130,000 of its customers as a result of security concerns that the customers routers were vulnerable to infection by a virus that could ultimately lead to them being hacked. At that time, the company said nearly 2,000 customer routers had been breached. Following an investigation by the Data Protection Commissioner, the company had to replace almost 20,000 modems for customers with basic broadband packages without access to fibre services. Additionally, Eir agreed to ... ensure that modem devices provided appropriate security during their lifetime.
OCTOBER 2017
A classic case of Good News, Bad News
NETGEAR Security Advisories from Netgear
On Oct 24, 2017 Netgear issued three security advisories for their routers. On Oct. 25th, they issued 8 more security advisories for routers. On Oct. 27th they issued two more router security advisories. The good news is that they are being informed of these bugs and fixing them. In early 2017 Netgear changed how they deal with bug reports from outside the company. The bad news is that their routers are buggy as heck. Does the good outweigh the bad? Matter of opinion.
KRACK
Key Reinstallation Attacks
by Mathy Vanhoef of imec-DistriNet, KU Leuven October 16, 2017
WPA2 was considered secure for a dozen years. Then, on October 16, 2017 details of the KRACK flaw were released showing that bad guys could break WPA2 encryption. For the most part the bug is with clients rather than routers. That said, its complicated, there are 10 different KRACK related bugs. Two involve routers. One comes into play when a client switches between access points that are part of the same network. The other involves routers acting as clients. For my favorite router, the Pepwave Surf SOHO, this means its WiFi as WAN feature is vulnerable. Network extenders should also be vulnerable. KRACK has nothing to do with Wi-Fi passwords. Many articles said KRACK lets bad guys steal your passwords, that is fear mongering as almost all passwords are encrypted with TLS/HTTPS. And a VPN or TOR can offer yet another level of encryption. Yet another reason not to use an Apple router, they said nothing about this.
Not news: old D-Link routers are buggy
D-Link DIR-600/300 Router Unauthenticated Remote Command Execution Vulnerability
by Check Point October 19, 2017
A remote code execution vulnerability exists in the D-Link DIR-600 and DIR-300 routers. A remote attacker can exploit this weakness to execute arbitrary code in the affected router. The DIR-600 is an old Wi-Fi N router.
TP-Link fixes bug in their WR940N router
Remote Code Execution (CVE-2017-13772) Walkthrough on a TP-Link Router
by Tim Carrington of Fidus Information Security October 17, 2017
TP-Link has fixed a bug in their WR940N home WiFi router. A Shodan search found 7,200 of these devices connected to the Internet. But, the bug was more a pattern than a single instance. User input from a GET parameter is passed directly to a call to strcpy without any validation. An analysis of the firmware found this pattern of code in many locations. To patch these vulnerabilities, TP-Link needed to replace the majority of the calls to strcpy with safer operations, such as strncpy. To their credit, they did so within a week. The bug was found on hardware version 4 but only fixed on hardware version 5. And, the fix is for US firmware only. The initial report to TP-Link was on Aug 11, 2017 and the patched firmware was made available on Sept. 28, 2017.
Netgear updates pretty much everything
Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices
by Tom Spring of Kaspersky ThreatPost October 2, 2017
Netgear issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws. Twenty of the patches address "high" vulnerability issues with the remaining 30 scored as "medium" security risks. One of those vulnerabilities (PSV-2017-1209) is a command injection bug tied to 17 consumer routers.
7 Security Bugs in dnsmasq
Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
by Google Security October 2, 2017
Dnsmasq is open source DNS and DHCP software and is commonly installed on routers, Linux and Android. The most severe of the 7 bugs could be remotely exploited to run malicious code and hijack the device. Three bugs are potential remote code executions, one is an information leak, and the remaining 3 are denial of service flaws. Trend Micro has identified around 1 million devices that are running a vulnerable version of dnsmasq and expose port 53 (DNS) on the public internet.The latest version of Dnsmasq, v2.78 has fixes for all the bugs.
SEPTEMBER 2017
Netgear routers attacked by abusing old bug
RouteX Malware Uses Netgear Routers for Credential Stuffing Attacks
by Catalin Cimpanu of BleepingComputer.com September 13, 2017
Quoting: "A Russian-speaking hacker has been infecting Netgear routers over the past months with a new strain of malware named RouteX that he uses to turn infected devices into SOCKS proxies and carry out credential stuffing attacks. According to Forkbombus Labs ... the hacker is using CVE-2016-10176, a vulnerability disclosed last December to take over Netgear WNR2000 routers." The bug lets the bad guy run the RouteX malware on Netgear routers that have not been patched. The malware defends itself by modifying the firewall of infected routers. This is the reason not to re-use passwords. Credential stuffing is the name given to the process of trying one stolen userid/password at multiple websites/services. To avoid being detected, bad guys spread out their credential stuffing so that it is performed from many different locations, none tied to them. Possibly from your Netgear router. The SOCKS proxy server serves as a middleman that reroutes data between the bad guy and his intended targets. How can you tell if your Netgear router is infected? No one said. It can't hurt to check for new firmware on all Netgear routers. If manual checking is too much, some routers self-update (see my list). Among the cheaper options, a single Google Wifi hockey puck router can be had for about $120. A single AmpliFi square router is about $130. A single eero costs about $200 and the Synology RT1900ac is around $120.
Three more D-Link router flaws
Enlarge your botnet with: top D-Link routers
by security firm Embedi September 12, 2017
Embedi found three flaws in the D-Link DIR890L, DIR885L, DIR895L and, most likely, other DIR8xx routers. Four months after first contacting D-Link, two of the flaws have not been patched. The one that was patched, was only fixed in the DIR890L, other models are still vulnerable. The good news here is that exploitation is LAN side and anyone following my advice on securing local access to a router and assigning IP addresses is protected. BUG1: In the router, phpcgi processes its internal web interface web pages. A malicious request, sent to http:// 192.168.0.1/getcfg.php, can bypass the normal authorization checks and execute a script that returns the userid/password of the router. BUG2: There have been many bugs over the years involving HNAP, this is yet another. A malicious request sent to http:// 192.168.0.1/HNAP1/ can cause a stack overflow that allows for the execution of shell commands with root privileges. BUG3: There is a window of opportunity just after the router starts up, where a device connected to an Ethernet LAN port can upload new firmware onto the router. This begs the question of why firmware is not digitally signed. If it was, the new firmware would be rejected. One way to restart the router (in addition to the other two bugs) is to send an EXEC REBOOT SYSTEM command to port 19541. No password needed. This port is open on the LAN side and there does not seem to be a way to close it. According to Victor Gevers, there are over 98,000 vulnerable D-Link routers (including the 10 flaws in the 850L). The blog posting includes ugly details of Embedi trying to get D-Link to fix things. When combined with the below D-Link router flaws, reported just a few days earlier, I am left thinking that a qualified person could find flaws in any D-Link router.
D-Link 850L router should be disconnected from Internet
Researcher Publishes Details on Unpatched D-Link Router Flaws
by Catalin Cimpanu of Bleeping Computer September 9, 2017
Pierre Kim, who has found many router flaws in the past, published the details of TEN vulnerabilities he discovered in the D-Link DIR 850L router. The 850L is a wireless AC1200 Dual Band Gigabit "Cloud" Router. He also found flaws in the Mydlink Cloud Service, which lets you remotely access and control D-Link devices on your home network. Kim published his findings without notifying D-Link first. Back in February they ignored his previous attempts at reporting other flaws. The flaws can be exploited from both the LAN and WAN side of the router. Bad guys can make the router sing and dance. More specifically, they can intercept traffic, upload malicious firmware and get root privileges. Kim recommends disconnecting any DIR 850L routers.
Some AT&T Arris gateways are brutally vulnerable
SharknAT&To
by Joseph Hutchins of Nomotion August 31, 2017
Let's be clear: this is a disgrace. Security firm Nomotion claims that AT&T U-verse modems, models NVG589 and NVG599, have brutal security flaws; five all told, that let the devices be fully and totally hacked by bad guys, including uploading new firmware. They claim there are at least 220,000 of these vulnerable devices currently in use. Articles on this refer to the devices as "modems" but that is not correct. They are gateway devices, combining modem and router features. Three of the five flaws are hard coded backdoor accounts. Another is that SSH is enabled by default on the WAN side where anyone can login as root using one of the hard coded userid/passwords. Also on the WAN side, an HTTP request to open port 49152 allows bad guys to bypass the device's firewall and open a TCP proxy connection to the device. This hack requires a predictable three-byte value followed by the MAC address. They found this port open on every single AT&T device they tested. Malpractice, I say. On the LAN side, attackers can authenticate on port 49955 to the web admin interface with the username "tech" and an empty password. The web server in the boxes is also vulnerable to a command injection flaw that lets bad guys run shell commands in the context of the web server. Its not clear if this is LAN or WAN side. Finally, someone who knows the device serial number can use a hard coded userid/password to authenticate to the device on port 61001. Here too, its not clear if the flaw is LAN or WAN side. All told, these devices are a botnet just waiting to happen.
Perhaps the most shocking thing was that Hutchins found a module in the kernel "whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic." He said the module is not being used but the code is there.
How much of the blame falls on AT&T vs. Arris is not yet clear. Hutchins did note that Arris has a history of "careless lingering of hardcoded accounts on their products."
I may have been wrong about the most shocking aspect. It is that AT&T ignored this. As of two weeks after the disclosure, they have said nothing. Seems they want to keep their customers ignorant of the problems. Arris initially said they are investigating but two weeks later, they have said nothing else.It seems that unless stories like this break out of the nerd news, companies are not sufficiently shamed to do anything. Even Equifax did something.
AUGUST 2017
Netgear reports on 3 bugs in their routers
NETGEAR Security Advisory Newsletter
by Netgear August 2017
The following bugs in Netgear routers comes from the NETGEAR Security Advisory Newsletter. None of the Security Advisories offer details on the flaws. Anyone owning a Netgear router should subscribe to the newsletter, if only because none of these bugs were reported anywhere else, that I can find.
Cisco routers and switches vulnerable
Australian businesses targeted in Cisco switch and router attacks: ACSC
by Stilgherrian of ZDNet August 16, 2017
The Australian Cyber Security Centre (ACSC) warns that Cisco routers and switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to having their configuration files extracted. The config files may contain device administrative credentials which can be used to compromise the device. Also vulnerable are switches using Cisco Smart Install (SMI) that are accessible from the internet. SMI is a feature in Cisco IOS that was intended for LAN side use and thus has no authentication. SNMP is included in my suggested list of stuff to turn off.
Flaw in some Juniper routers goes unpatched for months
Juniper issues security alert tied to routers and switches
by Tom Spring of Kaspersky Threatpost August 10, 2017
There was a bug in the open-source GD graphics image library (libgd) that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The bug existed in T Series and MX series routers along with four switch products. Juniper has issued a software fix. To me, the most interesting aspect is how long it took Juniper to fix the problem which was first made public in April 2016. Many Linux distributions quickly fixed it. The article says "Use of the flawed libgd library has stung a wide range of firms over the past year." Juniper did not publish a Security Advisory about this until July 12, 217.
JULY 2017
Netgear Router Analytics means Netgear spies on your router
Netgear Enables User Data Collection Feature on Popular Router Model
by Catalin Cimpanu of Bleeping Computer May 22, 2017
News about this broke in May 2017, I'm late in writing it up. And, although this is not a software bug, it is a flaw nonetheless - one of corporate personality. Simply put, Netgear now spies on some of their routers. This rolled out in April 2017 with firmware 1.0.7.12 for the R7000. Also in April, spying/analytics was added to the Orbi RBK40, RBR40 and RBS40 (Firmware Version 1.9.1.6). In each case "data collection" is on by default, you have to login to the router to disable it.
If you have a Netgear router, consider installing DD-WRT on it from the Netgear supported www.myopenrouter.com site.
JUNE 2017
Two bugs in an old TP-Link router
CVE-2017-9466: Why Is My Router Blinking Morse Code?
by Senrio June 19, 2017
Senrio has discovered two flaws in the TP-Link WR841N Version 8 router. The flaws, which can only be exploited on the LAN side, allowed them to not only gain administrative access to the device but also to run malicious code on it. The flaws were reported to TP-Link in Sept. 2016 and they were initially reluctant to fix an older product that was no longer supported. However, the fix was released in Feb. 2017. There was no update to the firmware for versions 9 and 11 of the router. It is not known if other TP-Link routers suffer from similar flaws. The first flaw was in a configuration service that allows attackers to send it commands without first logging in. The second flaw was a stack overflow issue and this is what let them install and run malicious software on the router.
Multiple WiMAX routers are easily hacked
Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers
by Stefan Viehbock of SEC Consult Vulnerability Lab June 7, 2017
WiMAX routers that make use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator userid and password. The vulnerable software is commit2.cgi. It accepts a variable called ADMIN_PASSWD which is the new password. The full list of vulnerable routers is not known. Vendors making vulnerable routers include GreenPacket, Huawei, MADA, ZTE and ZyXEL. In addition, Viehbock believes the routers also contain backdoor accounts.
The Huawei devices will not be fixed, the company said they are too old. The firmware was developed by ZyXEL which did not respond to inquiries made by CERT. After this got publicity, they responded to Chris Brook of Kaspersky's Threatpost they are "working on a solution". Time will tell.
7 bugs in web interface of Peplink routers
Multiple Vulnerabilities in peplink balance routers
by Eric Sesterhenn of X41 D-Sec GmbH June 5, 2017
Bugs have been reported in the web interface of Peplink Balance routers models 305, 380, 580, 710, 1350, 2500 running firmware 7.0.0. Initially it was not clear if other Balance routers were also vulnerable. They are. It was also not clear if other Peplink routers, such as the model, I recommend, the Surf SOHO are vulnerable. They are. And, it was not initially clear if the flaws are only in firmware 7.0.0 or if they also exist in the previous 6.3.3 firmware. They exist in both.
As to flaw details: (1) The worst is said to be a SQL injection attack via the bauth cookie parameter. This allows access to the SQLite session database containing user and session variables. (2) With specialized SQL queries, it is possible to retrieve usernames from the database. This doesn't strike me as a big deal because Peplink lets you change the username. So, lots of guessing needed to exploit this. (3) The CGI scripts in the admin interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. (4) Passwords are stored in cleartext (5) If the web interface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue. (6) If the web interface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in preview.cgi. (7) A logged in user can delete arbitrary files (8) If the web interface is accessible, it is possible to retrieve the router serial number without a valid login.
The report said that Peplink released updated firmware, version 7.0.1 to fix these bugs on June 5, 2017. However, on the 6th there was no mention of this firmware on the Peplink download page. In fact, there was no mention of these bugs anywhere on the Peplink site or in their forum. On the other hand, the reported timeline shows that Peplink responded quickly and fixed the bugs quickly. Running the admin interface on a non-standard port would likely have prevented abuse of these flaws. Also, devices in an isolated VLAN can be prevented from even seeing the router admin interface.
Peplink responded on June 7th in a forum posting on their website: 7.0.1 RC4 and 6.3.4
RC Addresses Security Advisory CVE-2017-8835 ~ 8840 This has links to updated firmware for all affected models. The new firmware is currently in Release Candidate status. It is expected to be upgraded to GA (Generally Available) status in a week. There are also a couple
suggested work-arounds in case updating the firmware is not an immediate option.
3Gstore, a Peplink retailer that I have used a few times, sent an email to their customers about this which raised an excellent point that no one else had. There is a hidden danger to the fact that bad guys can learn the router serial number - they can register the router with Peplinks remote control service, InControl2 - if the router has not already been registered. So, 3Gstore suggests, that even if you are not using InControl 2, you should create an account and register your Peplink router for the sole purpose of preventing a bad guy from registering it. Routers registered with the InControl 2 service can be remotely controlled.
EnGenius Enshare bug has been patched
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
by Gjoko Krstic of Zero Science Lab June 4, 2017
With the EnGenius IoT Gigabit Routers and their mobile app you can transfer files to/from a USB hard drive attached to the router. Enshare is a USB media storage sharing application that enables local and remote access to files on a USB hard drive. EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' script. EnGenius ignored the initial report of the problem, but they fixed it roughly two weeks after it was publicly disclosed.
MAY 2017
Asus router bugs
ASUS Patches RT Router Vulnerabilities
by Michael Mimoso of Kaskpesky Threatpost May 11, 2017
Asus recently fixed multiple bugs in 30 RT router models. Nightwatch Cybersecurity found the bugs. Some were patched in March, some just now. An attacker on the LAN side can change router settings, steal Wi-Fi passwords or get leaked system information. Malicious JavaScript can abuse a CSRF flaw to login to the router. An issue with leaking system information was not felt to be important by Asus and was not patched.
Multiple bugs in an old Cisco VPN router
Cisco drops critical security warning on VPN router, 3 high priority caveats
by Michael Cooney of Network World MAY 3, 2017
The Cisco CVR100W VPN router is old. It only does Wi-Fi N and it does not support Gigabit Ethernet. It has a critical bug in its Universal Plug-and-Play (UPnP) software which fails to do good range checking of UPnP input data. The bug could let an unauthenticated, Layer 2-adjacent attacker execute arbitrary code as root or cause a denial of service. Cisco has released new firmware with a fix. The same router also has vulnerability in the remote management access control list feature that could allow an unauthenticated, remote attacker to bypass the remote management ACL. No fix for this second flaw seems to be available.
Bug in Cisco IOS XR routers
Cisco IOS XR Software Denial of Service Vulnerability
by Cisco May 3, 2017
The Event Management Service daemon of Cisco IOS XR routers improperly handles gRPC requests. This could allow an unauthenticated, remote attacker to crash the router in such a manner that manual intervention is required to recover. The gRPC service is not enabled by default. Cisco has released a bug fix.
APRIL 2017
Flaw in modems using Intel's Puma 6 chipset
You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream
by Shaun Nichols of The Register April 27, 2017
OK, its about modems, not routers. Close enough. A modem using Intel's Puma 6 chipset can be overloaded and virtually knocked offline by a small amount of incoming data. There is no mitigation, but it does require a constant attack. When the attack stops, things return to normal. The bug has to do with exhausting an internal lookup table. Known vulnerable devices are the Arris SB6190 and the Netgear CM700. The Puma 6 chipset is also used in some ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK such as the Super Hub 3. Earlier articles mentioned a possible modem firmware update. However, even if a fix is issued you are at the mercy of your ISP to install it. Good luck with that.
UPDATE: The performance issues with Intels Puma 6 gigabit broadband modem chipset also affect the Puma 5 and Puma 7 family. See Intel Pumageddon: Broadband chip bug haunts Chipzilla's past, present and future by
Shaun Nichols of The Register August 9, 2017.
Ten flaws in 25 Linksys routers
Linksys Smart Wi-Fi Vulnerabilities
by Tao Sauvage of IOActive April 20, 2017
Researchers discovered ten bugs, six of which can be exploited remotely by unauthenticated attackers. The bugs exist in four models of the WRT series and 21 models of the EAxxxx Series. Two of the bugs allow remote unauthenticated attackers to crash the router. Others leak sensitive information such as the WPS pin code, the firmware version, information about devices connected to the router and other configuration settings. The most serious bug requires authentication - it lets attackers execute shell commands with root privileges. In the worst case, this lets a bad guy setup a backdoor account on the router that would not appear in the web interface and could not be removed. If remote administration is enabled, the routers are vulnerable remotely. Either way, the routers are vulnerable from the LAN side. A big problem is that these routers have a default userid/password. Just that fact alone should steer you away from these routers. On the other hand, Linksys has co-operated well with IOActive in both acknowledging the problem and fixing it. Some of the buggy routers can self-update but that feature needs to be enabled.
Travel routers from TP-LINK, StarTech, TripMate and TrendNet vulnerable
Travel Routers, NAS Devices Among Easily Hacked IoT Devices
by Chris Brook of Kaspersky ThreatPost April 10, 2017
Bugs in four travel routers were disclosed by Jan Hoersch of Securai GmbH in Munich. The TP-LINK M5250 will cough up administrator credentials in response to an SMS message. A StarTech router has telnet open with a hard coded password of root that can not be changed. On the Hootoo TripMate travel router an unathenticated user can do a firmware update. The TrendNet TEW714TRU used to let an unauthenticated LAN side user inject arbitrary commands. After the flaw was reported, TrendNet revised the firmware, but the underlying bug remained. Now, however, you have to be an authenticated user to exploit it.
MARCH 2017
Ubiquiti drags their heels fixing a bug
Unpatched vulnerability puts Ubiquiti networking products at risk
by Lucian Constantin of IDG News Service March 16, 2017
As bugs go, this is chump change; only authenticated users can exploit the flaw. The bug, discovered by SEC Consult, allows authenticated users to inject arbitrary commands into the web interface. The bug has been confirmed in 4 Ubiquiti Networks devices but is believed to exist in another 38. The worst part seems to the way Ubiquiti handled the issue. They acknowledged the flaw at the end of Nov. 2016, then gave SEC Consult a hard time and eventually just went silent. After a while, SEC Consult gave up and went public. Nerds everywhere love Ubiquiti, hopefully they read about this.
Two bugs in GLi routers have been patched
LAN surfing. How to use JavaScript to Execute Arbitrary Code on Routers
by T Shiomitsu of Pentest partners Mar 13, 2017
The GLi range of routers are small and very customizable routers, predominantly for those who fancy an extra level of control over their Wi-Fi-connected devices. Two flaws were found in the GL Innovations firmware v2.24. One was an authentication bypass, the other authenticated code execution. The article has sample code for using WebRTC and JavaScript scanning to find the LAN side IP address of the router. Code is also provided to fingerprint the router. GLi has fixed the flaws in their latest firmware and they responded to the two bug reports, which were made separately, fairly quickly.
Two bugs in old D-Link routers
D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
by Garret Wasserman of US-CERT March 15, 2017
Despite the article title, other D-Link models may be affected by these issues too. One bug allows a remote attacker that can access the remote management login page
to manipulate the POST request to access some administrator-only pages without credentials. In addition, the tools_admin.asp page discloses the administrator password in base64 encoding. D-Link has confirmed the flaws, there is no information about if or when a patch will be issued. The devices are old. The DIR-330 is a Wi-Fi G VPN Firewall with Fast Ethernet. The DIR-130 is similar but without Wi-Fi. As usual, disable remote administration if not really needed. If it is needed, restrict the allowed source IP addresses. The bugs were discovered by James Edge.
D-Link again. HNAP again.
D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability
by Joel Land of US-CERT March 8, 2017
As bad as it gets: a remote, unauthenticated attacker can run arbitrary code as root. Yet another reason to disable remote administration. It is disabled by default on the DIR-850L device but, even then, the device can still be attacked from the LAN side. Other D-Link models may also be affected. The vulnerability is in the HNAP service. A bad guy can send a specially crafted POST request to http://routerIPaddress/HNAP1/ that causes a buffer overflow and execute arbitrary code. Beta firmware was released Feb. 17, 2017. The DIR-850L is a dual band Wi-Fi AC router. It is also affected by the November 2016 HNAP flaw in D-Link devices (see below). The bug was reported by Sergi Martinez of NCC Group.
FEBRUARY 2017
Bugs in two TP-Link routers
Updated Firmware Due for Serious TP-Link Router Vulnerabilities
by Michael Mimoso of Kaspersky Threatpost Feb. 13, 2017
One flaw allows for remote code execution but only after logging in to the router. Another flaw allows a bad guy to crash the TP-Link C2 and C20i routers. There are weak default credentials for the FTP server in the router. The default firewall rules are too permissive on the WAN interface. The final insult is artistic, Pierre Kim, who found the flaws, claims that three of the modules in the router firmware "are overall badly designed programs, executing tons of system() and running as root." TP-Link plans to release a new firmware in February 2017, patching all the vulnerabilities. Perhaps the worst aspect was that when Kim first contacted TP-Link by livechat he was told "there is no process to handle security problems in TP-Link routers" and the company refused to offer a point of contact for security issues. Ouch.
JANUARY 2017
Netgear routers buggy, yet again
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers
By Simon Kenin of Trustwave January 30, 2017
There are two bugs in Netgear routers that leak the administrator userid and password. These are not to be confused with the two sets of bugs in Netgear routers last month. Each of these bugs can be exploited from the LAN side and, if remote administration is enabled, also from the WAN/Internet side of the router. Remote Administration should be disabled by default. Still, there are at least ten thousand vulnerable devices that are remotely accessible.The bugs were first reported to Netgear in April 2016 and, to date, all the affected routers have still not been patched. There is a work-around however, enable password recovery. This is an option in the router that requires a secret question before divulging the router password. With password recovery enabled, all is well. On some routers, you can test if it is vulnerable with
http://router/passwordrecovered.cgi?id=anythinghereworks
Getting patches issued was a long slog, obviously since it has taken 9 months. The first Netgear advisory listed 18 vulnerable devices. A second advisory listed an additional 25 models. As things stand now, there are 31 vulnerable models, 18 of which are patched. However, Trustwave warns that one of the models listed as not vulnerable (DGN2200v4) is, in fact, vulnerable. Ugh. Netgear now has a new procedure for handling reports about flaws in their software.