2018  top

DECEMBER 2018

Two critical bugs in Synology routers

Synology Security Advisories
by Synology December 26, 2018
Bug Synology-SA-18:65 SRM: "A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM)." No details are given. The bug was found by Uriya Yavnieli of VDOO. There is a fix for SRM 1.2 only, earlier versions of SRM are not addressed. The fix was released Dec 26th in firmware version 1.2-7742-5.
Bug Synology-SA-18:62 is in Netatalk versions prior to 3.1.12. The bug allows remote unauthenticated attackers to execute arbitrary code. The bug allows an out of bounds write in dsi_opensess.c due to the lack of bounds checking. This is also fixed in SRM 1.2 version 1.2-7742-5, same as the other bug.

Multiple D-Link routers disclose passwords

[CVE-2018-18007] atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials
by Tyler Cui   Dec 16, 2018
The buggy device is the D-Link DSL-2770L, a DSL modem/router. The bug: "An authenticated user can visit the page atbox.htm, for example, http://victim_ip/atbox.htm, and obtain clear text password of user admin at the line: else if(ff.curpd.value != '__password__') location='atbox_pd.htm' "
Disgraceful coding by D-Link. No excuse for this at all. Also coming down the pike:
CVE-2018-18008: This vulnerability affects D-Link DSL-2770L, DIR-140L, DIR-640L, DWR-116, DWR-512, DWR-555, and DWR-921 routers. An unauthenticated user can visit the page 'spaces.htm' and obtain the admin account password in clear text
and
CVE-2018-18009: This vulnerability affects D-Link DIR-140L and DIR-640L routers. A remote unauthenticated user can access the file 'dirary0.js' and obtain the admin account password in clear text.
The bug descriptions all say both that the attacker has to be authenticated and that the attacker does not have to be authenticated. It is not clear if these bugs can be exploited remotely or not. D-Link was notified of the bugs in June 2018 and never created a patch. The pattern is clear. This programming bug is so bad, really so amateurish, that avoiding D-Link devices altogether seems the smart thing to do.

High end Huawei routers leak password information

Information Disclosure Vulnerability CVE-2018-7900 Makes It Easy for Attackers to Find Huawei Devices at Risk
by Ankit Anubhav of NewSky Security   December 19, 2018
Simply put, everyone is at fault. Huawei for creating the vulnerability and the companies running Huawei routers for using default credentials. Thanks to bug CVE-2018–7900 bad guys can tell if a Huawei router is using the default password without even trying to logon to the router. All they need do is examine the HTML for the logon page. Even easier, ZoomEye and/or Shodan search engines can, if you know what to look for, report all Huawei routers using default credentials. The problem was reported to Huawei in Sept. 2018 and they have issued a patch. The vulnerable routers are high end devices used by ISPs and the patch has not yet been installed everywhere. Which specific routers are vulnerable was not disclosed.

• Security Notice - Statement on Information Leak Vulnerability in Huawei HG Product by Huawei Dec 19, 2018. It is a bug, we fixed it, but the fix is not yet installed everywhere.
• Huawei Routers Vulnerable to Simplified Credential Stuffing Attack by Larry Loeb Dec 21, 2018

Three buggy Trendnet routers will not be fixed

Multiple vulnerabilities found in Trendnet routers and IP Cameras
by Prashast Srivastava, Mathias Payer, Howard Shrobe and Hamed Okhravi   December 7, 2018
The bugs are in these TRENDnet routers: TEW-634GRU, TEW-673GRU and TEW-632BRP. Two IP cameras were also buggy. For all the flaws, it is not clear if they can be exploited remotely or not. One flaw requires the attacker to already be logged in to the router, but another one does not require any authentication. One flaw makes it possible to execute arbitrary commands on the router with root privileges. The routers are old (End of Life) and will not be patched.

NOVEMBER 2018

Four bugs in the TP-Link TL-R600VPN

From directory traversal to direct travesty: Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs
by Richard Chirgwin of The Register   November 20, 20189
Cisco's Talos found four security vulnerabilities in the TP-Link TL-R600VPN router. A denial-of-service flaw and a file-leaking bug are both due to input sanitisation mistakes. The directory traversal bug lets anyone read any file on the system. Parsing bugs led to two remote code execution (RCE) flaws that can be exploited by a logged-in user. However, the other two flaws can be exploited by anyone that can access the web interface. Definitely exploitable on the LAN side, and if remote administration is enabled, then exploitable on the WAN side too. The article said that fixes are available, but that does not seem to be true. On March 29, 2019 I found the newest firmware for the vulnerable hardware versions 2 and 3 to have been released in August 2016 and August 2014, well before these bugs were found.

• Firmware download from TP-Link for hardware version 3
• Firmware download from TP-Link for hardware version 2

A bug in an old D-Link router

CyRC analysis: CVE-2018-18907 authentication bypass vulnerability in D-Link DIR-850L wireless router
by the Synopsys Cybersecurity Research Center   November 15, 2018
The D-Link DIR-850L router was initially released in early 2013. Hardware version A (there is also a B) has a bug that lets attackers get onto its Wi-Fi network with having to know the WPA2 password. D-Link issued a patch three months after the bug was first reported. The only router tested for this flaw was the DIR-850L which Amazon is currently selling (in the US) for $60. No one has said anything about whether similar models might also be affected. Seems like no one has bothered testing other models. The model in question was chosen at random, the researcher was looking into something unrelated and just happened to have this particular router available to him. So, it is quite possible that other D-Link routers are also vulnerable. And, speaking of D-Link, lets not forget that the Federal Trade Commission (FTC) filed a lawsuit against D-Link early in 2017 complaining of assorted bad security practices. There will be a trial in January 2019. On a related note, I tried to view the tech support page for the DIR-850L router but it would not load in my browser. D-Link uses TLS 1.0 on their tech support site. This is a very old and known buggy protocol and I had disabled its use in my browser.

• WPA2 encryption bypass: Using Defensics to uncover behavioral vulnerabilities by Tuomo Untinen who found the bug. Describes the flaw in detail. November 15, 2018
• DIR-850L H/W Revision A CVE-2018-18907 - WiFi encryption bypass from D-Link about the bug.

Is this a good thing?

Cisco removed its seventh backdoor account this year, and that's a good thing
by Catalin Cimpanu for ZDNet   November 7, 2018
For the seventh time this year, Cisco has removed a backdoor account from one of its products. Five of the seven were discovered by Cisco's internal testers. The company has been reviewing the source code of all of its software since December 2015. In an attempt to make George Carlin proud, Cisco refers to backdoor accounts as "undocumented, static user credentials for the default administrative account" or "the affected software enables a privileged user account without notifying administrators of the system."

• Update for Customers by Anthony Grieco of Cisco December 21, 2015. About their internal auditing.

Bugs in Xiaomi Mi Router 3

Hack Routers, Get Toys: Exploiting the Mi Router 3
by Shaun Mirani of Independent Security Evaluators   November 6, 2018
There are three bugs in the Xiaomi Mi Router 3 running firmware version 2.22.15. Two are command injection flaws, the third is reflected XSS. The command injection flaws allow an authenticated user to run arbitrary system commands with root privileges. The bugs were reported to Xiaomi in June. And, that's where it ends. The article is, frankly, amateurish. It does not say if the flaws are exploitable on the LAN side, the WAN side or both. It does not say if the XSS flaw can be exploited by an un-authenticated user. It does not say anything about fixes from Xiaomi.

Bleeding Bit bug in high end Access Points

Bluetooth bugs bite millions of Wi-Fi APs from Cisco, Meraki, and Aruba
by Dan Goodin of Ars Technica   November 1, 2018
Yes, the bugs are in Access Points and not routers. Yes, the bugs are in high end enterprise devices rather than consumer routers. So, why is it included here? I felt like it. Millions of Wi-Fi access points sold by Cisco, Meraki, and Aruba a critical Bluetooth bug that could allow attackers to run install and run malware on the devices. The bug was found by Armis. The malware could get access to all subnets, that is, it would not be stopped by a VLAN. The bug is in Bluetooth Low Energy (BLE), in software from Texas Instruments and they were aware of the issue, but they were not aware that it could be exploited in such a malicious manner. Why would a Wi-Fi Access Point support Bluetooth in the first place? Fancy features. Retailers can use them to track customers inside stores by monitoring the Bluetooth beacons sent by smartphones. Not me, Bluetooth is always disabled on my phone. Meraki and Aruba have issued patches. The real-world likelihood of this being exploited is debatable. BLE is enabled by default on some, not all, vulnerable Cisco and Meraki APs. Also, the bug requires a scanning feature to be enabled and it is disabled by default on all vulnerable devices.
A second bug has to do with an over-the-air firmware update feature of Aruba APs. The feature exists to ease firmware updates while developing products. It was never intended to be included in production devices. But, Aruba makes a password-protected version of the update feature available in their series 300 APs. Password? Smashword. The password used across all the devices is identical. Way to go Aruba. An attacker can learn the password by sniffing a legitimate update or reverse-engineering the device. Game over. Bad guys can then install any firmware they want.
Tin foil hat: a reader comment at Ars raised an issue that I first heard at a security conference this past summer. What if the removal of 3.5 mm audio ports in phones was to force more people to keep Bluetooth enabled, and thus, keep them traceable? If that is true, we won't know for at least 30 years.

• Bleeding Bit by Armis Labs
• Security Now podcast Episode #688 Nov 6, 2018 with Steve Gibson.

OCTOBER 2018

Yet another ISP behaving badly

We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70'. Our survey says... Top answer!
by Chris Williams of The Register   October 26, 2018
A Wi-Fi router (4GEE HH70 gateways) used by British mobile network EE has a hidden backdoor account with a hard-coded username and password. The account is accessible via SSH from the LAN (inside) side of the router. The devices run OpenWRT and the account is root. The 4GEE home gateway connects to EE's mobile phone network. They are used by people who live in rural areas without fast wired connectivity. When the problem was reported to EE they blew it off, until The Register got involved. That said, it was still not clear whether a patch had been rolled out or not. After shaming EE, The Register learned that they did issue a patch, but customers have to install the new firmware themselves.

• EE 4GEE HH70 Router Vulnerability Disclosure by James Hemmings October 24, 2018. He originally found the problem.

New Cisco flaw

Cisco zero-day exploited in the wild to crash and reload devices
by Catalin Cimpanu for ZDNet   October 31, 2018
Cisco has revealed the existence of a zero-day vulnerability affecting products that run Adaptive Security Appliance and Firepower Threat Defense software. The flaw allows an unauthenticated, remote attacker to cause a device to reload or trigger high CPU usage, resulting in a denial of service. The vulnerability resides in the Session Initiation Protocol (SIP) inspection feature. The vulnerability has been exploited in the wild. There is not yet a patch available, but there are mitigations, the most obvious being to disable SIP inspection. Another defense is to block the bad guys IP address (pretty lame). Finally, in the attacks seen to date, the "Sent-by Address" has been all zeros, so these can also be filtered. Known vulnerable devices are: 3000 Series Industrial Security Appliance, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance, Firepower 2100 and 4100 Series Security Appliance, Firepower 9300 ASA Security Module and FTD Virtual.
Nov. 6, 2018: Still no patches released.

• Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability by Cisco Oct. 31, 2018. Last updated Nov. 2, 2018.

Krack is back - new Wi-Fi issues get no press coverage

Auditing KRACKs in Wi-Fi
by Mathy Vanhoef of imec-DistriNet, KU Leuven   September 2018
Last year we had the Krack vulnerability in WPA2 and everyone fixed it, or so we thought. In certain cases, attacks are still possible according to newly published research from Mathy Vanhoef and Frank Piessens. Vanhoef discovered the flaw initially. They report on three problems. First, buggy bug fixes. Second, they discovered new techniques to bypass the official defense against KRACK, allowing an attacker to replay broadcast and multicast frames. However, they do say that this can only be abused to reinstall the (integrity) group key, and it is non-trivial to execute in practice. Third, they disclosed easier and more effective techniques to attack unpatched Wi-Fi devices. And, for good luck, they explain in more detail how to abuse certain vulnerabilities that were disclosed last year. The tech press has ignored this, perhaps because they write that " most users should not worry ... our new paper and results are not as serious as the original key reinstallation attacks."
Still, they inspected patches and open source code and shamed Apple: macOS was found to re-use the SNonce during rekeys of the session key (this is beyond me) and iOS did not properly install the integrity group key (beyond me too). They write that these bugs have a similar impact as the original KRACK attacks. And, Apple never owned up to their mistake. Their patches to their patches are not mentioned in Apple's security update notes. Their tests showed that the code is finally correct in iOS 12.0 and macOS High Seirra 10.13.3 (maybe earlier).
In addition, some Wi-Fi devices accept replayed message 4's of the 4-way handshake. They cited more than 100 devices (routers, APs, wireless cameras, wireless network extenders, home automation switches, NAS devices and smart power plugs) that use the MediaTek MT7620 chip, such as the Asus RT-AC51U router as being vulnerable. An attacker can abuse this to trivially trigger key re-installations against the router, without having to be a man-in-the-middle. This makes it possible to decrypt, replay, and possibly forge frames. MediaTek has promised a fix sometime in the future.
Looking forward, they note that WPA3 does not prevent key re-installation attacks because it still uses the 4-way handshake (in combination with the new Dragonfly handshake). Any particular implementation of the 4-way handshake may be vulnerable to KRACK.

• Routers that use the MediaTek MT7620 chip. Among the vendors with routers on this list are: Asus, Belkin, Buffalo, D-Link, Edimax, EnGenius, Linksys, Netgear and TP-Link. Nothing from Peplink, by the way.
• Mathy Vanhoef and Frank Piessens. 2018. Release the Kraken: New KRACKs in the 802.11 Standard In 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS ’18). ACM. Their research paper.
• Paper over the Kracks: New techniques can bypass WPA2 flaw mitigations by Emma Woollacott of The Daily Swig October 4, 2018

Bugs in Linksys E Series routers

Vulnerability Spotlight: Linksys E Series Multiple OS Command Injection Vulnerabilities
by Cisco Talos   October 16, 2018
Three vulnerabilities are confirmed in multiple Linksys E Series wireless routers with various firmware versions. Exploiting these vulnerabilities requires the attacker to have already authenticated with the device. Still, they do allow a bad guy to obtain full control over a router, which would then allow for the installation of malicious code. Which models? The only ones mentioned are the E1200 and the E2500 both of which have patches available. The vulnerability state of other E Series routers is not clear (to me at least).

• Linksys ESeries multiple OS command injection vulnerabilities - Talos Vulnerability Report by Talos. October 16, 2018. CVE Numbers: CVE-2018-3953, CVE-2018-3954, CVE-2018-3955. This has the technical details on the flaws and a timeline: Linksys notified July 9, 2018. Patch for the E1200 issued Aug. 14th, patch for the E2500 released Oct. 4, 2018.

Another huge security flaw for Cisco

libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018
by Cisco   October 19, 2018
Quoting "A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system." Cisco is currently investigating which products are vulnerable.

• libssh 0.8.4 and 0.7.6 security and bugfix release Oct. 16, 2018

D-Link shows how much they care about security

Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage
by Richard Chirgwin of The Register   October 17, 2018
First sentence: "Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched." Just this one sentence is enough to make a thinking person avoid D-Link routers. D-Link was notified of these bugs in May 2018 and has, to date, done nothing. Eight devices are known vulnerable. Six of them will not get fixes because D-Link deems them too old to bother with. They are: DWR-140, DWR-512, DWR-640, DWR-712, DWR-912 and DWR-921. D-Link has said they will fix the DWR-116 and DWR-111 but after all this time, they have not done so. The bugs, found by Błażej Adamczyk include storing passwords in plaintext, yet another indicator of how much D-Link cares about security. One person does not have access to an entire product line, so it is likely that other D-Link routers which the researcher could not test are also vulnerable.

• Multiple vulnerabilities in D-Link routers by Błażej Adamczyk October 12, 2018
• D-Link routers - full takeover by Błażej Adamczyk October 12, 2018. Pretty much the same as above.

Still more MikroTik bugs

Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik's RouterOS
by Jacob Baines of Tenable   October 7, 2018
Frankly, I can't keep up with the bugs in MikroTik devices. Suffice it to say, that owning a MikroTik device dooms you to a life of constant patching. The four bugs that Baines found are: an authenticated remote code execution (CVE-2018-1156), a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The first one is the most critical as it allows for full system access. The bugs exist in RouterOS 6.42.3, released in May 2018. The bugs are patched in RouterOS version 6.40.9 (released Aug 20, 2018), version 6.42.7 (released Aug 17, 2018) and version 6.43 (released Sept. 6, 2018). And, there is more too.
Baines presented his research Oct 7, 2018 at the DerbyCon conference in Kentucky. He disclosed that RouterOS has a somewhat hidden developer backdoor account and he was not the first person to discover it. Moreso, he expanded the exploitation of a previously disclosed path traversal vulnerability, CVE-2018-14847. His new approach let him extract the admin password and create an "option" package to enable the developer backdoor. Thus, a bad guy can connect to Telnet or SSH using the root user "devel" (the back door account) with the admin password. Mikrotik patched the path traversal bug in April 2018. However, it was not previously disclosed that the bug could be leveraged to write files. He created an exploit for Winbox, a Windows GUI application for MikroTik’s RouterOS software. MikroTik created their own encryption and their own protocol for talking to their RouterOS system. Baines and others have figured out the protocol. A recent scan by Tenable Research showed that only 30 percent of vulnerable devices have been patched.

• By the Way an exploit that enables a root shell on Mikrotik devices running RouterOS by Jacob Baines
• Winbox vulnerability the MikroTik advisory about CVE-2018-14847. March 25, 2018
• PoC Attack Escalates MikroTik Router Bug to 'As Bad As It Gets' by Tom Spring of Threatpost October 7, 2018
• Mikrotik RouterOS Multiple Authenticated Vulnerabilities from Tenable about the four bugs that Jacob Baines found. Aug. 22, 2018
• Unpatched routers bad, doubly unpatched routers worse – much, much worse! by Paul Ducklin of Sophos. October 8, 2018. Good article.

AUGUST 2018

Multiple bugs in TP-Link Wi-Fi Extenders

From Bad to Worse: Firmware Vulnerability Detection with the Centrifuge Platform
by Craig Heffner of Refirm Labs   August 13, 2018
This story starts with a command injection vulnerability published for the TP-Link WL-WA850RE Wi-Fi Range Extender. The bug grants a remote attacker complete access to the device, but it requires administrative credentials. Using software from his company, the Centrifuge Platform, Heffner found a more serious bug that allows a remote attacker to completely control the device even without prior knowledge of the administrative credentials. The vulnerability affects multiple TP-Link products, including devices connected to the Internet and therefore susceptible to remote attack. At first, Heffner found tons of calls to strcpy with stack addresses as the destination. Then he put the httpd binary into a disassembler. In the previously known bug, the wps_setup_pin value can be used to exploit both a stack-based buffer overflow and command injection. But, the vulnerable code sits behind an authentication check. So, he looked for HTTP requests that do not require authentication. He got a list of 24 function handlers that do not require authentication. The most interesting one was: /fs/data/config.bin which generates the backup configuration file. Yes, an un-authenticated user can dump a file with the admin password. The config file is compressed and DES encrypted. But, TP-Link has been re-using the same encryption key for years. After decrypting the config file, Heffner found the admin password was stored as an MD5 hash which can be directly fed into the web interface of the router. Attackers do not need to know the plain text password. Heffner wrote: "Thanks to vendor code reuse, bugs like these are rarely isolated to a single product (or even to a single OEM!)." So, he went looking for other TP-Link products that might be affected, again using software from his company that scans firmware for known vulnerabilities. Other vulnerable range extenders are the: RE305, RE450, TL-WA830RE, TL-WA850RE and the TL-WA855RE. Heffner found many of these were directly accessible from the Internet. He developed a proof of concept exploit script that grabs the configuration file, decrypts it, decompresses it, authenticates to the target device, and exploits the command injection bug to start a telnet server on port 8080. It appears that little, if any, work has been done by either researchers or TP-LInk into whether other devices are affected by these bugs. TP-Link was told of all this but there are, as of now, no patches. It is not clear if they responded to Heffner at all.

• TP-Link TL-WA850RE - Remote Command Execution June 20, 2018 by yoresongo. This is the initial WPS command injection bug that requires administrative credentials
• TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Remote Reboot April 26, 2018 by Wadeek. It was already known that you can get the backup configuration file without a password
• URL: teknoraver DOT net/software/hacks/tplink/ ==> TP-Link the Unreliable Choice by Matteo Croce an OpenWrt Developer. No date. It was also already known that TP-Link re-uses an encryption key. Teknoraver has been flagged as potentially dangerous so the URL is given here rather than a link.

New IKE VPN flaw affects Cisco, Huawei and others. Patches available.

Cisco Patches Its Operating Systems Against New IKE Crypto Attack
by Catalin Cimpanu of Bleeping Computer   August 13, 2018
Any Cisco IOS or IOS XE device that is configured with the "authentication rsa-encr" option is vulnerable to a newly discovered attack on IKE. The Cisco IOS XR operating system is not affected. The bug stems from the fact that the software responds incorrectly to decryption failures. The bug lets bad guys attack the first Phase of IKE and, if successful, attackers are able to impersonate another IPsec endpoint or be an active man-in-the middle. It is not possible to recover data from an already established IPsec session. The attack also works against the IKEv1 implementations of Huawei, Clavister and ZyXEL. All companies were previously informed and issued patches.

• The Dangers of Key Reuse: Practical Attacks on IPsec IKE Research paper by Dennis Felsch, Martin Grothe, Jörg Schwenk, Adam Czubak and Marcin Szymanek. To be presented at the Usenix Security Symposium
• Cisco IOS and IOS XE Software Internet Key Exchange Version 1 RSA-Encrypted Nonces Vulnerability from Cisco August 13, 2018

New attack on WPA/WPA2 networks enabled for roaming

New attack on WPA/WPA2 using PMKID
by Atom   August 4, 2018
"This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard ... The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame. At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers). The main advantages of this attack are as follow:
No more regular users required - because the attacker directly communicates with the AP (aka "client-less" attack)
No more waiting for a complete 4-way handshake between the regular user and the AP
No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
No more eventual invalid passwords sent by the regular user
No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
No more special output format (pcap, hccapx, etc.) - final data will appear as regular hex encoded string "

• This attack was demonstrated in October 2021: Cracking WiFi at Scale with One Simple Trick by Ido Hoorvitch of CyberArk

JULY 2018

Huge bug in Juniper's Junos OS

Security Bulletin: Junos OS: A privilege escalation vulnerability exists where authenticated users with shell access can become root (CVE-2018-0024)
by Juniper   July 11, 2018
This is a doozy. An authenticated unprivileged attacker can gain full control of the system thanks to an Improper Privilege Management vulnerability in a shell session. The flaw is in multiple versions of the OS: 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1X49. Affected platforms: EX Series, QFX3500, QFX3600, QFX5100, SRX Series. This issue was found during internal product security testing or research. Fixes have been released. This was but one of a large number of bug fixes just released by Juniper. See their Security Advisories page for the rest.

After 2 years, 3 bugs in ADB hardware finally fixed

Year-Old Critical Vulnerabilities Patched in ISP Broadband Gear
by Tom Spring of Threatpost   July 5, 2018
In June of 2016, SEC Consult Vulnerability Lab identified three critical bugs in Switzerland-based ADB routers and gateways. Here we are, two years later and the bugs are finally being publicly disclosed and fixed. ADB manufactures hardware for over two dozen communications firms, including Cox Communication and Charter Communications in the US. Bug 1 is a local root jailbreak that can be exploited thanks to a network file sharing flaw. It lets an attacker get full access to the device with highest privileges. Oopsie. Bug 2 lets an attacker access device settings otherwise forbidden to the user. Manipulated settings, might, for example, turn on the Telnet server even if the ISP had disabled it. Bug 2 requires the bad guy to have a user account, but the default account from the ISP or printed on the device, would suffice. Bug 3 is a privilege escalation flaw via Linux group manipulation. It can grant an attacker access to the command line interface, even if it was previously disabled by the ISP. Every CLI is not the same, but the CLI might offer access to all the configuration settings. All the bugs now have patches available, for those that know to look for them. Neither Cox nor Charter returned Threatpost inquiries on if or how many of their customers may have been impacted by the vulnerabilities. Of course not, the fewer customers that know about this the better.

• Local root jailbreak via network file sharing flaw in all ADB Broadband Gateways by Johannes Greil (Office Vienna) of SEC Consult Vulnerability Lab. July 4, 2018
• Authorization Bypass in all ADB Broadband Gateways / Routers byJohannes Greil of SEC Consult Vulnerability Lab July 4, 2018.
• Privilege escalation via linux group manipulation in all ADB Broadband Gateways by Stefan Viehböck (Office Vienna) and Johannes Greil (Office Vienna) of SEC Consult Vulnerability Lab July 4, 2018
• Critical ADB router, modem firmware vulnerabilities finally fixed by Charlie Osborne of ZDNet July 6, 2018

JUNE 2018

Netgear fixes many bugs

Netgear Security Advisories
by Netgear   June 22, 2018
As before, another case of the glass being half empty or half full. Netgear has fixed many bugs in their routers. At some point, however, you have to wonder if their routers are like Flash, a never ending source of bugs. Still, they do seem to make an honest effort to fix things, they are very public about the bugs, and they have a security newsletter announcing their bug fixes, so give them credit for that. The patches are:
6/22/2018 Security Advisory for Denial of Service on Some Routers, PSV-2017-3168
6/22/2018 Security Advisory for Denial of Service on Some Routers, PSV-2017-3169
6/22/2018 Security Advisory for Sensitive Information Disclosure on GS810EMX, PSV-2018-0220
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2017-3166
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3160
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3159
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3158
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3157
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3156
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3155
6/22/2018 Security Advisory for Post-Authentication Buffer Overflow on Some Gateways and Routers, PSV-2017-3154
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3152
6/22/2018 Security Advisory for Pre-Authentication Buffer Overflow on Some Gateways, Routers, and Extenders, PSV-2017-3136
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3133
6/22/2018 Security Advisory for Stored Cross-Site Scripting on Some Gateways and Routers, PSV-2017-3101
6/21/2018 Security Advisory for Post-Authentication Buffer Overflow on Some Gateways, Routers, and Extenders, PSV-2017-2460
6/21/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-2248
6/21/2018 Security Advisory for Security Misconfiguration on Some Gateways and Routers, PSV-2017-0429
6/14/2018 Security Advisory for Pre-Authentication Command Injection on Some Gateways, Routers, and Extenders, PSV-2016-0074

Cisco has some serious explaining to do

Cisco Removes Backdoor Account, Fourth in the Last Four Months
by Catalin Cimpanu of Bleeping Computer   June 8, 2018
For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products. This hardcoded password was found in their Wide Area Application Services (WAAS). WAAS is WAN traffic management. software that runs on Cisco hardware. Calling it a password is a bit off, there was a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. Anyone knowing the string can retrieve stats and system info from affected devices. Again, anyone can abuse this, all you needed to know is the character string. It provides stats and system information via SNMP. This was a very well hidden secret, which has to make anyone wonder how it came to be. The existence of the secret SNMP community string was hidden from device owners. It was even hidden from people with an admin account on the device. Go figure. It was discovered by Aaron Blair from RIoT Solutions as he was researching a different bug. The second bug elevated a normal admin account to root access and once a root user, he could see the secret SNMP string. The hidden string was just removed.

• Cisco Wide Area Application Services Software Static SNMP Credentials Vulnerability June 6, 2018

More Cisco bugs

Cisco Patches Critical Flaws in IOS XE and Prime Collaboration Provisioning
by Lucian Constantin June 8, 2018
These are bad. IOS XE is the Cisco operating system for networking devices such as routers. It has a critical flaw in its authentication, authorization and accounting (AAA) security services. The bug is due to incorrectly parsing usernames during the authentication process. It can be exploited by unauthenticated, remote attackers to execute arbitrary code on the affected devices. Yikes. They also fixed a critical vulnerability in PCP (Prime Collaboration Provisioning). An open TCP/IP port in the Network Interface and Configuration Engine (NICE) service, gave attackers access to the Java Remote Method Invocation (RMI) system. This, in turn, let bad guys perform malicious actions. In addition to these critical bugs, Cisco fixed five other high-risk flaws in PCP this week. And, they fixed high-risk bugs in their Web Security Appliance; Identity Services Engine; Network Services Orchestrator; IP Phone 6800, 7800 and 8800 Series; Cisco Meeting Server and Adaptive Security Appliance. Bugs bugs bugs.

• Cisco IOS XE Software Authentication, Authorization, and Accounting Login Authentication Remote Code Execution Vulnerability by Cisco June 6, 2018
• Cisco Prime Collaboration Provisioning Unauthenticated Remote Method Invocation Vulnerability from Cisco June 6, 2018

Critical bug in Cisco ACS has been fixed

Cisco fixes critical bug that exposed networks to hackers
by Zack Whittaker for ZDNet June 7, 2018
Technically, not a router bug, but from Cisco and network related. A critical bug in the Cisco Secure Access Control System (ACS), which system administrators use to authenticate users across a network, could have allowed hackers to remotely break into corporate networks. The bug was reported to Cisco by Positive Technologies. An attacker exploiting the bug could gain near-unfettered access to a network, including control of routers and firewalls. This, in turn, could allow interception and modification of network traffic and grant access to closed-off sensitive areas of a network. The bug was fixed in May 2018. ACS reached end-of-life in 2017.

• Cisco Secure Access Control System Remote Code Execution Vulnerability from Cisco May 2, 2018. Quoting: "A vulnerability in the ACS Report component of Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected system ... The vulnerability is due to insufficient validation of the Action Message Format (AMF) protocol. An attacker could exploit this vulnerability by sending a crafted AMF message that contains malicious code to a targeted user. A successful exploit could allow the attacker to execute arbitrary commands on the ACS device."

MAY 2018

VPNFilter - a very big deal

VPNFilter router malware - just the bad stuff
by me   June 4, 2018 (last updated June 8th)
VPNFilter is both malware and a botnet. It infects routers from Linksys, MikroTik, Netgear, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. It also was found on NAS devices from QNAP. For the most part we do not know the bugs in each router that the malware exploited. However, everything that has come out in the first two weeks after the initial announcement, points to the bad guys exploiting known bugs. No zero day flaws were needed. Most of my coverage is on the News page.

Comcast leaks customer Wi-Fi passwords and network names

Comcast website bug leaks Xfinity customer data
by Zack Whittaker for ZDNet   May 21, 2018
Technically, this is not a router bug, but it's close enough. The Comcast website (register.be.xfinity.com/activate), which was/is used by customers to set up their home services, could be hacked to display a customers home address, Wi-Fi network name (SSID) and Wi-Fi password. And, not just display, an attacker could also change the SSID and/or Wi-Fi password. But, the issue was only for customers using equipment from Comcast. Those with their own routers were safe. An attacker only needed to provide the customer account number and their house or apartment number. If you lived at 123 Main Street, all the attacker needed to know was 123. Comcast claimed they fixed the problem, but we have no idea how long this vulnerability existed. For more on why not to use a router from any ISP see the ISP routers page.

• Comcast bug made it shockingly easy to steal customers' Wi-Fi password by Jon Brodkin for Ars Technica May 22, 2018. It is common for ISPs to make Wi-Fi passwords available online so that customers can recover a lost password.
• Comcast Pulls Xfinity Site After Researchers Discover Bug Leaking Customer Data by Patrick Lucas Austin of Gizmodo May 22, 2018. The article notes that the timing is terrible, because Comcast is in the process of launching its own line of mesh routers.

Bug in old D-Link DSL gateways was never fixed, now being abused

Widely used D-Link modem/router under mass attack by potent IoT botnet
by Dan Goodin of Ars Technica   June 20, 2018
Bad guys are exploiting a bug in very old D-Link DSL-2750B DSL gateways in an attempt to make them part of the Satori botnet. The bug has been known for roughly 2 years but the devices have been abandoned by D-Link and the ISPs that gave them out. If you have such a device, it needs to be replaced. This is yet another reason to not use any hardware from your ISP, when possible. The bug allows remote command execution without any authorization needed. The vulnerability can be exploited using the "cli" parameter that directly invokes the "ayecli" binary. It is also possible to retrieve the admin password, wifi password, etc. Also covered in the Router News page.

• D-Link router DSL-2750B firmware 1.01 to 1.03 - remote command execution no auth required A description of the bug from Feb. 5, 2016.
• D-Link router DSL-2750B firmware 1.01 to 1.03 - RCE no auth a description of the bug from January 2017
• D-Link DSL-2750B - OS Command Injection the bug at Exploit Database May 25, 2018

D-Link caught with poor security, yet again

Backdoors in D-Link's backyard
by Denis Makrushin of Kaspersky SecureList   May 23, 2018
Round up the usual suspects. Yet another D-Link router is vulnerable to hacking. Kaspersky researched the DIR-620 router because it is a common router given out by ISPs. Most importantly here is that "The firmware runs on various D-Link routers" so anyone with a D-Link router should consider replacing it. Especially, old D-Link routers, as the company has refused to fix these problems because they deem the router too old to bother with. Kaspersky notes that it is not possible to count the number of vulnerable routers because "most home routers are located behind their ISP’s NAT." Kaspersky found two bugs and two hard coded backdoor accounts, one for Telnet, the other for access to the web admin interface of the router. Interestingly, the backdoor credentials contain the name of the ISP in the login string, so it is impossible to know if the ISP or D-Link is to blame. Owners of the routers can not do anything about the hard coded account for the web interface. They can't see it or delete it. Kaspersky did not discuss local admin access vs. remote access. One of the bugs lets attacker recover Telnet credentials. Another flaw lets attackers execute OS commands via parameters of an admin page's URL. The last is a reflected cross-site scripting bug in the "Quick Search" field of the router's web interface. Most of the routers were deployed by Russian, CIS, and Eastern European ISPs to their customers. The vast majority of these devices are located in Russia.

• Backdoor Accounts, Security Vulnerabilities Found In D-Link DIR-620 Routers by Lucian Armasu of Toms Hardware May 24, 2018
• Backdoor Account Found in D-Link DIR-620 Routers by Catalin Cimpanu of Bleeping Computer May 23, 2018

ISP TalkTalk's Wi-Fi passwords Walk Walk thanks to Awks Awks router security hole
by Shaun Nichols of The Register   May 22, 2018
Talk Talk is a British ISP and telco. Their "Super Routers" have been confirmed vulnerable to the classic WPS pin code attack, first seen back in 2011. You can't make this stuff up. The flaw was discovered by a company called IndigoFuzz using a Windows program called Dumpper that is available on Sourceforge. You have to be within Wi-Fi range to attack a vulnerable router. Some routers can disable WPS, but neither article mentioned if the Talk Talk routers can do so. Also, neither article mentioned that a router that has been hacked via WPS will remain available to the attacker even if the Wi-Fi password is later changed and even if the Wi-Fi password is very long. WPS is a back door. Note that the WPS pin code attack has nothing to do with the WPS pairing button. WPS supports multiple modes of operation.

• TalkTalk Router - WPS Exploit May 21, 2018 by IndigoFuzz

Bug in DrayTek routers is being both exploited and fixed

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit
by Kat Hall of The Register   May 21, 2018
Quoting: "DrayTek routers are considered high end in the UK - retailing at around 200 pounds, more than twice the price of garden-variety alternatives - and are mostly used by businesses." It seems that buyers are getting their moneys worth. Yes, the routers have a bug, but the report of the flaw came from DrayTek themselves, which is quite rare. They also released an advisory about the problem that was unusually frank and helpful. Many of the known buggy routers have new firmware that fixes the problem, others will shortly have new firmware. The company also lists devices that are not buggy at all. Firmware updates have to be manually done, the routers do not self-update. For obvious reasons, they have not released any technical details of the flaw. Bad guys have been using the flaw to change the DNS servers in the routers, an old tried and true attack. On the home page of this site (in the ongoing defense section) I recommend being aware of your DNS servers. The resources page lists many websites that report on currently used DNS servers. No articles about this mentioned that these sites exist.

• Notification of Urgent Security Updates to DrayTek routers by DrayTek no date. Sometime in 2018.
• Security Advisory: CSRF & DNS Changed Web Interface Attacks from DrayTek No date. Some time in May 2018. Unusually frank and useful advice. Includes details on devices with newly updated firmware, those which will soon get new firmware and those that are not affected by the mystery flaw.
• DrayTek Router Zero-Day Under Attack by Catalin Cimpanu of Bleeping Computer May 18, 2018
• DNS Vulnerability Strikes Popular DrayTek Broadband ISP Routers by Mark Jackson May 21, 2018. The title is wrong, it is not a DNS vulnerability. The article says that DNS "converts IP addresses to a human readable form" which is not true. DNS does the reverse, it translates human readable names to IP addresses.
  https://www.ispreview.co.uk/index.php/2018/05/dns-vulnerability-strikes-popular-draytek-broadband-isp-routers.html

Glass half full or half empty for Cisco devices?

Hardcoded Password Found in Cisco Enterprise Software, Again
by Catalin Cimpanu of Bleeping Computer   May 17, 2018
Cisco just released 16 security advisories that warned about 13 boring bugs and 3 critical ones. The worst (CVE-2018-0222) is a hard coded backdoor account or, to use words from a PR firm - "undocumented, static user credentials for the default administrative account." The hard coded password gives those in the know root access. The other two critical flaws are both bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center software. The flaws were uncovered by an internal audit. Back in 2015, after a backdoor account that could decrypt VPN traffic was found in Juniper software, Cisco decided to audit their code. And ... "The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits..."

• Hardcoded admin passwords in Cisco DNA Center could put your enterprise network at risk by Brandon Vigliarolo of Tech Republic May 17, 2018

Sierra Wireless routers were totally completely hackable

Sierra Wireless Patches Critical Vulns in Range of Wireless Routers
by Tara Seals of Threatpost   May 8, 2018
Sierra Wireless just patched two critical vulnerabilities for its wireless gateways that would leave the enterprise devices helpless to an array of remote threats. The most critical flaw allowed a remote attacker with no authentication whatsoever to execute arbitrary code on the routers and gain full control of a vulnerable device. Sierra Wireless has a footprint of more than 3 million AirLink devices. Vulnerabilities affect AirLink Gateways LS300, GX400, GX/ES440, GX/ES450, RV50, RV50X, MP70, MP70E. The article does not say how the company learned of the flaws. Technical details are not available because Sierra Wireless Tech Bulletins are only for their customers, not the general public.

ISP in Brazil ships routers without a password

5,000 Routers With No Telnet Password. Nothing to See Here! Move Along!
by Catalin Cimpanu of Bleeping Computer   May 10, 2018
Oi Internet, an ISP in Brazil has shipped their customers Datacom routers (models DM991CR, DM706CR, and DM991CS) with Telnet enabled and no Telnet password. The report comes from Ankit Anubhav, Principal Researcher at NewSky Security. He has detected 5,000 of the vulnerable routers. Worse than a house with the front door unlocked, these routers are a house without a front door at all. This illustrates why I consider a router from an ISP to be the least secure option. You are safer with an off-the-shelf consumer router, but better still, with a business class router.

APRIL 2018

Dasan GPON optical routers are buggy and tough luck

Critical RCE Vulnerability Found in Over a Million GPON Home Routers
by Sarit Newman of vpnMentor   No date
This strikes me as a scam. I suspect its a test of how gullible those covering technology are. For one thing, there is no date on the article. Then too, vpnMentor is not a security company. The author's qualification is that "she loves being organized." Bugs are found by people, the article only refers to "we". There are no links to the CVEs. I searched for each one and found that the two CVE numbers have been assigned to someone who has published nothing and not even identified themselves. Also GPON is a technology not a brand, as far as I can tell. That is, its Wi-Fi, not Linksys. The article did not mention one specific brand of router. All it said was "the routers are provided by ISPs" and it did not even mention one ISP by name. As to the details, vpnMentor claims that CVE-2018-10561 is a bug that lets attackers bypass authentication on the routers. They do not say if the authentication bypass lets only local attackers into the routers or also remote attackers. They also claim that CVE-2018-10562 is a command injection flaw that let them execute commands on the un-identified routers.
Update May 4, 2018: There is now some text describing the two CVE bug reports and it identifies the router manufacturer, Dasan of South Korea. And, it seems these bugs are now being exploited.
Update May 10, 2018: At least 5 botnets are competing to hack these Dasan routers. See the Router News page for more. Also, the routers are old and will not be patched. And, VPNmentor has released their own most un-official patch.
Update May 21, 2018: These same routers appear to have another zero day flaw that bad guys are exploiting. See GPON Routers Attacked With New Zero-Day by Catalin Cimpanu for Bleeping Computer.

• Remote code execution bug found in GPON routers, but how bad is it really? by Maria Varmazis May 14, 2018. Dasan says the vulnerability is present in only two series of routers released nine years ago which are no longer supported. Dasan estimates the number of affected devices is under 240,000 and they claim that anyone who has an affected router has been contacted and informed of the flaws. The devices are primarily used in Mexico, Kazakhstan, and Vietnam, but several thousand are also active in Russia and Nigeria.
• Over a million vulnerable fiber routers can be easily hacked by Zack Whittaker for ZDNet April 30, 2018. This article adds that most of the GPON home gateways are in Mexico, Kazakhstan, and Vietnam.
• Critical RCE vulnerability found in over a million GPON Home Routers By Pierluigi Paganini May 1, 2018. This just repeats the original article and adds nothing.

How to hack MikroTik routers

Chimay-Red
by Dayton Pidhirney of Seekintoo   April 28, 2018
Most of this article is over my head, but it is clearly a detailed technical guide to hacking MikroTik routers. They appear to be quite hackable. The author is not impressed with the company's coding prowess. Quoting: "... a span of approximately four years elapsed since the vulnerability was introduced until the time it was fixed. Four years should be enough for multiple competent code reviews to catch a blatant integer overflow in a critical function like reading user POST data. The fact this small issue was not discovered and fixed for so long, leads myself and I'm sure others to believe MK doesn't do code reviews or does not complete them often. If you are reading this MK, maybe stop custom writing and maintaining your: Webserver, Samba Server, RADIUS server, SSH server, TELNET server, FTP server, etc. Clearly you can't."

TP-Link does not fix old buggy router

TPLink TLWR740n Router Remote Code Execution
by Tim Carrington of Fidus Information Security   April 26, 2018
In October 2017, Fidus reported on TP-Link having a pattern of bad coding that can result in the WR940N router being hacked. TP-Link fixes the WR940N router. Fidus wonders how come no one else had found the flaws as they were easy to find. Worse, TP-Link only fixes the WR940N. Later, Fidus finds the exact same bugging pattern of code in the TLWR740n router. They report the problem to TP-Link on Jan. 25, 2018. On March 29th, TP-Link sent Fidus beta firmware that fixed the problem. But, TP-Link never released the patched firmware. We have seen this pattern before with consumer routers - vendors only fix what the public knows about. The bigger issue here involves other TP-LInk routers. Which of them also have the same buggy code and thus are also vulnerable to the same attack? This is a great reason not to trust TP-Link.

Hard coded root account in ZTE routers

Hyperoptic router at risk of being hacked
by Andrew Laughlin of Which?   April 25, 2018
In October 2017, security firm Context Information Security found a flaw in ZTE routers used by British broadband ISP Hyperoptic. The ISP is fully fibre and specializes in super fast Internet. It is estimated that Hyperoptic has about 100,000 customers, mostly businesses. As of April 24, 2018 the flaw has been fixed and rolled out to all Hyperoptic customers. Dan Cater, Lead Security Consultant at Context, found the flaw, a combination of a hardcoded root account and a DNS rebinding vulnerability. As a result, simply clicking on a malicious link allowed bad guys to login to the ZTE routers will full, total control. The buggy devices are the H298N and H298A "HyperHub" routers. The fix includes new individual root passwords for every router. Just last week, the British National Cyber Security Centre (NCSC) warned UK telecoms and broadband operators not to use ZTE equipment for security reasons. None of the articles has any details on the flaw, but I suspect that changing the LAN side IP address of the router is a defense against this. So too changing the LAN side subnet and the port number used for Local Administration of the router.

• Full Fibre UK ISP Hyperoptic Fixes Serious ZTE Router Security Flaw by Mark Jackson of ISP Review April 25, 2018
• Hyperoptic router could be hacked by clicking a link by Context Information Security April 25, 2018
• NCSC advice to telecommunications sector about ZTE the British spy agency says not to use ZTE equipment. April 16, 2018

UPnProxy- the UPnP abuse will never die - no progress in 5 years

UPnProxy: Blackhat Proxies via NAT Injections
by Akamai   Early April
UPnP is the router mis-configuration that will not go away. Back in January 2013 it was discovered that millions of routers were exposing UPnP on their WAN side (the Internet) by mistake. This report from Akamai found that 4.8 million routers are still doing so. They also found that bad guys are using this flaw/mis-configuration to treat routers as proxies as a way of hiding themselves online. My summary of this is on the News page.

MARCH 2018

A H-U-G-E number of Cisco bugs

March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
by Cisco   Doc ID: ERP-66682   March 28, 2018
Cisco has released patches for 34 bugs, mostly to IOS and IOS XE. The bugs include three critical remote code execution flaws. To put this in perspective, Peplink has never released fixes for 34 bugs at once. They don't have that many bugs. One reason there were so many patches is that Cisco only releases bug fixes twice a year (March and September). This is a miserable way to maintain software. One critical flaw in IOS XE is an undocumented user account with a default username and password. An attacker could use this account to remotely connect to a vulnerable device. Just disgraceful. Another flaw is a remote code execution bug in the QoS subsystem of IOS and IOS XE. The problem is due to incorrect bounds checking of certain parameters sent to UDP port 18999. The bug that got press attention is in Smart Install. This should have been called Lazy Install. It is software for deploying new IOS and IOS XE switches and routers to a remote site while configure everything from headquarters. Smart Install was meant to make life easy for system administrators. As such, the Smart Install protocol does not require authentication. In Feb. 2017 Cisco warned about how insecure the Smart install Protocol was and suggested using their newer Network Plug and Play feature instead. Devices running the Smart Install client have TCP port 4786 open by default. Adding to the poor design is a bug - a stack-based buffer overflow enables an attacker to remotely execute arbitrary code without authentication. This is as bad as bad gets. Remote unauthenticated attackers can get full control of vulnerable devices. In all the time I have been following Peplink, they have never had one bug as severe as this. Since Smart Install was intended for internal use, at first, it was though this bug could only be exploited internally. But no. Embedi, the company that found the flaw, found 8.5 million devices that have the vulnerable port open on the Internet. Of those, only 250,000 were vulnerable to the flaw. The timeline here is shameful. Embedi discovered the flaw in May 2017. In September 2017 Cisco said they were still working on a fix and now, at the end of March 2018, it is finally released. These bugs were exploited a few days after the fixes were released. See the Routers in the news page for details.

• Cisco Smart Install Remote Code Execution by Embedi March 29, 2018
• Cisco critical flaw: At least 8.5 million switches open to attack, so patch now by Liam Tung of ZDnet March 29, 2018
• Egg on Cisco's face: Three critical software bugs to fix over Easter by Richard Chirgwin of The Register March 29, 2018
• Cisco Patches Two Critical RCE Bugs in IOS XE Software by Tom Spring of Threatpost March 28, 2018

New VPN client router Vilfo has poor security

Vilfo VPN router review
by Daniel Aleksandersen for his CTRL blog   March 20, 2018. (NOTE: vendor response is below)
Vilfo is a 5-person company about to launch a new VPN client router. Both the router and the company are offshoots of the Swedish VPN service provider OVPN. The hardware is high end and the software is based on OpenWRT/LEDE. A review by Daniel Aleksandersen found many security flaws in the design and operation. The problems start immediately with the initial setup. Quoting: "... the initial setup process in Vilfo's web administration interface happens over HTTP on an unencrypted WiFi connection that is literally broadcast in the clear to your neighborhood. You are required to input a lot of information in the web administration interface before you get the option to enable encryption on the connection. At the very least, you must provide the following: a unique license key for Vilfo, your email address, your username and password for at least one predefined VPN service provider, your desired username and administrative (root) password for the router, and at the end you also input your desired WiFi name and password. All of this information is transmitted in clear-text and can trivially be collected by nearby devices." Other security flaws:

• There does not appear to have been any attempt at hardening the security of the firmware. The root password is stored in a file called /etc/vilfo/.env that has no access restrictions and can be read by ... anyone who gains access to the system. The password is stored as a base64-encoded string which is trivially reversed. This makes it easy for anyone who gains access to the system to escalate to root privileges. Any system user can read and modify any saved VPN profiles including usernames and password. Both SSH and the web administration interface are bound to every network interface including the WAN port.
• The Vilfo router does not have a privacy policy and it collects and shares a lot of data with its partners. The web interface includes Google Analytics that collects, among many other things, the MAC addresses on your local network, which are considered personal data under the General Data Protection Regulation (GDPR). This is also a violation of Google Analytics' own Terms of Service. The web interface includes a live chat with a company called Intercom. Intercom collects data about what you do inside the web administration panels.
• You can choose to submit diagnostic data to Vilfo but it gives them way more information than they should be collecting. Worse, they share it with a third-party service provider. The diagnostic data includes the MAC address of every device that has been observed on your network in the last four months, plus behavioral data collected about each device, your email address, the password to your wireless network, and information about your VPN usage. The diagnostic data is sent to Intercom, not directly to Vilfo. The Intercom privacy policy clearly indicates that they use your email address to profile you by sharing your email address with and collecting data from other third-party companies.
• Last, but not least, the Vilfo router runs a DNS server itself for all attached clients and it uses DNS services from OVPN. All DNS requests go to OVPN, even from devices that are connected to a VPN through the VPN client feature of the router (which is the big marketing feature). Normally, a VPN would provide its own DNS servers. Thus, all DNS requests are sent in the clear (unencrypted), something a VPN is supposed to protect from. This exposes information about the domains you visit over the VPN.
• June 28, 2018: I just became aware that Vilfo has publicly responded. It is undated. They describe 9 changes that have been made in response to this blog review and two additional changes that are being worked on.

Unauthenticated remote exploitation of MikroTik routers

MikroTik RouterOS SMB Buffer Overflow
by Core Security   March 15, 2018
MikroTik is a Latvian company that provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is their operating system based on the Linux v3.3.5 kernel. A buffer overflow was found in the RouterOS SMB service (Samba) when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and thus execute code on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. The flaw is CVE-2018-7445 and it was discovered by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. Version 6.41.3 of RouterOS contains a fix.

Seems like the UPnP bugs will never die

Inception Framework: Alive and Well, and Hiding Behind Proxies
by Symantec  March 14, 2018
First some background on the bad guys: "The cyber espionage group known as the Inception Framework has significantly developed its operations over the past three years, rolling out stealthy new tools and cleverly leveraging the cloud and the Internet of Things (IoT) in order to make its activities harder to detect ... The nature of Inception’s targets ... along with the capabilities of its tools, indicate that espionage is the primary motive of this group ... Blue Coat was able to determine that the attackers were communicating with CloudMe.com through a hacked network of compromised routers, the majority of which were located in South Korea..." Then how they hide behind a chain of hacked routers: "Inception is continuing to use chains of infected routers to act as proxies and mask communications between the attackers and the cloud service providers they use. Certain router manufacturers have UPnP listening on WAN as a default configuration ... These routers are hijacked by Inception and configured to forward traffic from one port to another host on the internet. Abuse of this service requires no custom malware to be injected on the routers and can be used at scale very easily. Inception strings chains of these routers together to create multiple proxies to hide behind." This is the router bug that will not die. UPnP was never meant to be exposed to the Internet. Yet, back in January 2013, HD Moore, working for Rapid 7, found millions of routers doing just that. According to Symantec, Akamai reports 765,000 devices are currently vulnerable to this attack.

Cisco not immune to security problems

Hardcoded Password Found in Cisco Software
by Catalin Cimpanu of Bleeping Computer   March 8, 2018
As much as I advise against using consumer routers, high end devices from Cisco are also not immune to security problems. They just released 22 security advisories, including one that forced them to admit there was a hard coded password in their Prime Collaboration Provisioning software application. I don't know what that software does, but hard coding a password is a huge mistake and inexcusable (unless the US Government forced them to do this). Their other critical security flaw affected the Cisco Secure Access Control System, which was not as secure as it should have been. A Java deserialization issue allowed an unauthenticated, remote attacker to execute arbitrary commands with root privileges. Put another way, that's as bad as bad gets.

• Cisco Secure Access Control System Java Deserialization Vulnerability by Cisco March 7, 2018. Advisory ID: cisco-sa-20180307-acs2. Insecure deserialization of user-supplied content. Attackers could exploit this vulnerability by sending a crafted serialized Java object. Cisco has released software updates that address this vulnerability.
• Cisco Secure Access Control Syste

FEBRUARY 2018

Dasan refuses to fix its buggy router

A potent botnet is exploiting a critical router bug that may never be fixed
by Dan Goodin of Ars Technica   Feb. 14, 2018
In October 2017 an independent researcher finds a bug in the Dasan Networks GPON ONT WiFi Router H640X . Specifically, the login_action function uses strcpy without checking the length of input from the client request. This creates a buffer overflow that can lead to remote code execution. It is not clear if the bug also exists in other Dasan devices. The researcher enlists SecuriTeam to contact Dasan. That does not go well, Dasan bascially ignores them. SecuriTeam publishes the details of the flaw in early December 2017. In early February 2018, Radware detects a new botnet where almost all the devices are from Dasant. They call it the Satori.Dasan botnet. Shodan reports about 40,000 devices listening on port 8080, with over half located in Vietnam. Satori infections don't survive a device reboot, so that's one defensive measure. If your router can set firewall rules, block 185.62.188.88 which is the C and C server for the botnet.

• New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers by Radware February 12, 2018.
• Advisory - Dasan Unauthenticated Remote Code Execution-Security-Vulnerability by Beyond Security's SecuriTeam December 6, 2017. Independent security researcher, TigerPuma reported the vulnerability to them. They tried to contact Dasan for two full months and were ignored.
• DASAN claims to be a Leading Global Networking Company. Leading in what, they don't say. They describe the H640x as "cost-effective" which, to me, translates to "cheap because we don't update buggy software".

Netgear has fixed multiple bugs including a doozy

Wish you could log into someone's Netgear box without a password? Summon a &genie=1
by Iain Thomson for The Register   February 9, 2018
Good news: Netgear fixed a lots of bugs affecting many of their routers. Bad news: lots of bugs, patching is a manual process that few router owners do and the flaws were found by Trustwave, not by Netgear.
-- The worst bug is vulnerable on the LAN side only, assuming Remote Administration is disabled. Anyone that can access the web-based configuration interface, can gain control of vulnerable routers without a password by simply adding "&genie=1" to the URL. The Security Checklist page has suggested ways to lock down LAN side access to a router (item 3). The flaw was discovered in March 2017 and the patch released in September 2017. 17 router models are affected.
-- Another flaw, in the genie_restoring.cgi script can be abused to extract files and passwords both from the router and from USB flash drived plugged into the router. 17 routers vulnerable here too. The flaw was discovered in March 2017 and the patch issued in August 2017.
-- A bug with WPS, leaves 6 Netgear routers vulnerable to arbitrary code execution as root for two minutes after the WPS button is pressed. This is due to a failure to sanitize hostnames. Simply put, if an attacker can press the WPS button on the router, the router can be completely compromised. This flaw was found in March 2017 and the patch was released in Oct. 2017.
-- The least serious flaw affects 6 routers. After logging in, root level command execution is possible via the device_name parameter on the lan.cgi page. Trustwave also found a three-stage attack leveraging three separate issues that lets any user connected to the router run OS commands as root on the device without providing any credentials.
-- See the October 2017 and November 2017 descriptions below of the bugs that Netgear fixed. Fixing bugs in a somewhat timely manner is good, but at some point you have to lose trust in their code base. And timely is a matter of opinion, these bugs took roughly 6 months to get fixed. Finally, the Netgear bug descriptions (here and here for example) say nothing at all about the nature of the problem. That does not inspire confidence.

• Multiple Vulnerabilities in NETGEAR Routers by Martin Rakhmanov of Trustwave February 7, 2018
• Security Updates Available for Popular Netgear Routers by Catalin Cimpanu of Bleeping Computer February 12, 2018. Very good article.
• Full list of NETGEAR router vulnerabilities revealed - is your device on the list? by Sara Barker for SecurityBriefNZ February 9, 2018
• Trustwave Find Multiple Vulnerabilities in NETGEAR Broadband Routers by Mark Jackson for ISPreview UK February 8, 2018
• Netgear Security Advisories

Further proof that routers contain old software with known vulnerabilities

Comprehensive Firmware Binary Scan Finds KRACK is "Tip of Iceberg" For Known Wi-Fi Security Vulnerabilities
Press Release from Insignary February 6, 2018
In January 2016, the Wall Street Journal reported on home routers with old software containing known bugs - Rarely Patched Software Bugs in Home Routers Cripple Security. This report, from Insignary, shows that nothing has changed. Insignary does binary-level software composition analysis. In other words, they scan executable code (called firmware when dealing with routers) looking for signatures of open source software, and from those signatures, determine the version/release of the software in the executable code. In November 2017 they scanned the firmware of 32 Wi-Fi routers and found numerous known security vulnerabilities. No zero days here. The routers were from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a security vulnerability. A majority of the examined firmware contained components with more than 10 "Severity High" security vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities. This report is, of course, a plug for their detection software, but that doesn't change the results.

• WiFi Routers Riddled With Holes: Report by Jack M. Germain for Linux Insider Feb 6, 2018
• The truth is in the binary from Insignary
• Insignary.com
• Trustwave Find Multiple Vulnerabilities in NETGEAR Broadband Routers by Mark Jackson for ISPreview UK February 8, 2018

JANUARY 2018

Critical Cisco VPN bug is worse than originally thought, then patched badly

Cisco drops a mega-vulnerability alert for VPN devices
by Sean Gallagher of Ars Technica January 30, 2018
Cedric Halbronn of the NCC Group discovered a critical bug in Cisco network security devices and VPN software. Devices configured with WebVPN clientless VPN software are vulnerable to an attack that could bypass normal security and allow an attacker to gain full control of vulnerable devices. That's bad. WebVPN allows someone to connect to a corporate intranet using just a secure web browser session. It requires no VPN client software or certificate. The attack on the VPN server is done with specially formatted XML messages that "double-free" memory. Executing the command to free a specific memory address more than once can cause memory leakage that allows the attacker to write commands or other data into memory. This can cause the system to execute commands or it could crash the system. Vulnerable devices run the Cisco ASA software with WebVPN enabled. Cisco has issued a patch, but to get it, customers without current maintenance contracts have to contact Cisco's Technical Assistance Center and ask nicely. A few days after news of this bug became public, Cisco said it was worse than initially thought. On their own, they identified additional attack vectors and features that are affected by the bug. Worse still, Cisco found that the original fix was incomplete and they issued a patched patch.

• Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability First Published: Jan 29, 2018. Last Updated: May 17, 2018.

Asus router flaw has been fixed

FortiGuard Labs Discovers Vulnerability in Asus Router
by David Maciejak of Fortinet's FortiGuard Labs   January 30, 2018
Bug fixes have been released for the ASUS RT-N18U, RT-AC66U, RT-AC68U, RT-AC86U, RT-AC87U, RT-AC88U, RT-AC1900, RT-AC2900, RT-AC3100, RT-AC3200 and RT-AC5300. The flaw seems fairly minor. An attacker can forge an HTTP request that injects operating system commands that get executed as root. The flaw is due to unsanitized parameters passed to the apply.cgi script. It is mostly a LAN side attack, unless remote administration is enabled via HTTP. Asus fixed this quickly. It was reported to them Dec 23, 2017 and 4 days later they gave FortiGuard a patch to verify. The fix started rolling out Jan. 2, 2018.

• Fortinet Discovers Remote Code Execution Vulnerability in Asus Router Dec 22, 2017

Two Asus router flaws have been fixed

Advisory - Asus Unauthenticated LAN Remote Command Execution
by SecuriTeam a division of Beyond Security   January 22, 2018
Two vulnerabilities in AsusWRT (the firmware on Asus routers) version 3.0.0.4.380.7743 can lead to remote command execution from the LAN side. Independent security researcher, Pedro Ribeiro discovered the flaws. Asus has released patches as of version 3.0.0.4.384_10007. One flaw is that the handle_request() routine allows an unauthenticated user to perform a POST request for certain actions. An attacker can trigger the vulnerabilities and reset the admin password. This, in turn, lets an attacker login to the web interface, enable SSH, reboot the router and login via SSH. Another flaw is in the same code that was reported buggy in 2015, the infosvr service which listens on LAN side UDP port 9999. The buggy routers are the RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U.
Update March 16, 2018: One of these bugs makes routers that are enabled for Remote Administration via HTTP (as opposed to HTTPS) vulnerable to attack. This may explain the multiple reports of DNS hijacking on Asus routers, described above in March 2018.

• ASUS Patches Root Command Execution Flaws Haunting Over a Dozen Router Models by Tom Spring at ThreatPost January 25, 2018
• Unauthenticated LAN remote code execution in AsusWRT by the man who found the flaws, Pedro Ribeiro of Agile Information Security. Disclosed Jan 22, 2018. Last updated Jan 26, 2018.
• ASUS Security Advisories

Flaws in D-Link routers in Israel

Advisory - D-Link DSL-6850U Multiple Vulnerabilities
by SecuriTeam a division of Beyond Security   January 1, 2018
An independent security researcher reported two flaws in the D-Link DSL-6850U versions BZ_1.00.01 - BZ_1.00.09. The router is manufactured by D-Link for Bezeq in Israel. Bezeq was informed of the vulnerability on June 9, and released patches to address the vulnerabilities. One flaw was a default account that could not be disabled. The userid and password were both "support". In addition, remote administration was enabled by default and a flaw allowed for Remote Command Execution.