|Router Security||Router Bugs Flaws Hacks and Vulnerabilities||
Website by |
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck. Below is what I base this opinion on.
This page documents the existence of bugs in routers. Starting April 2018, I also track routers in the news which details the exploitation of router flaws.
You may be thinking that all software is buggy, but router software is probably worse. One reason for this is your ISP, which may have configured the router/gateway in an insecure way, either on purpose, to allow spying, or out of laziness or incompetence. Another reason is cost: router software is developed as cheaply as possible.
BIG BUGS: A number of flaws stand out. The port 32764 issue from January 2014 and April 2014 for example. A router backdoor was exposed, then instead of being removed, was just better hidden. Another flaw not to be missed is the Misfortune Cookie from December 2014. Then, of course, there is WPS, the electronic equivalent of a "hack me" sign on your back. Other huge flaws involved UPnP being exposed to the Internet and file sharing on a USB port.
THE US GOVERNMENT IS MAD AS HELL: In January 2017, the FTC accused D-Link of leaving its routers and webcam devices vulnerable to hackers. A lawsuit alleged that D-Link "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access." D-Link was also accused of misleading the public about the security of their devices. D-Link denied they did anything bad. More on the Router News page.
This page has bugs from 2020, 2019, 2018 and 2017. Older bugs, from 2016 through 2012, are available at the bottom of this page. To see all the bugs on one B_I_G web page (makes it easy to find all the issues for any one manufacturer) click this button ==>DONE. All the bugs are now displayed below
Multiple D-Link router bugs
5 severe D-Link router vulnerabilities disclosed, patch now
By Ax Sharma of Bleeping computer July 24, 2020
It is not clear from this story which routers are buggy. The research the story is based on is for a router that is End-of-Life (no more bug fixes, it's too darn old to bother with). The bugs are in the web interface to the router, as they often are. Best practices for router security is always to limit LAN side access to the router's admin interface, and, of course, to disable remote administration. I found one bug quite noteworthy. It lets a bad guy bypass the router password by adding a couple parameters to the HTTP request to the router. The same flaw was reported in 2010 and again in 2011. That tells you all you need to know about D-Link.
Way too many bugs in Cisco software
Cisco releases security fixes for critical VPN, router vulnerabilities
by Charlie Osborne for ZDNet July 17, 2020
For the most part, I leave out Cisco bugs from this page because there are just too many of them. The number of critical bugs in Cisco software over the years has been far too high. I would not use their products. Cisco just released fixes for 34 bugs, five of which are the most critical in that they allow bad guys to get total control of vulnerable devices. One issue is the Telnet service in the Small Business RV110W Wireless-N VPN Firewall router. It has a default, static password that, if obtained by attackers, can lead to the full remote hijacking of a device. This is a mistake that can not be forgiven and not the first time Cisco has had hard coded passwords. A flaw in the management interface of the Cisco Small Business RV110W, RV130, RV130W, and RV215W routers can be exploited to execute arbitrary code as the root user. This is a very common flaw, improper validation of input. Translation: lazy programmers. Same thing with the web interface of the Cisco RV110W VPN Firewall and RV215W VPN router.
Do not buy a router from Tenda
Tenda AC15 AC1900 Vulnerabilities Discovered and Exploited
by Sanjana Sarda of Independent Security Evaluators July 10, 2020
Their research uncovered five bugs including two methods attackers can use to gain persistent unauthenticated root access to the router. They also found 7 open LAN side ports. Much of this article is focused on the specifics on the bugs and it leaves out the implications. Are the bugs exploitable LAN side or WAN side or both? Does a user have to be logged in to exploit the bug or not? Despite this, the article is very useful at the end. ISE first contacted Tenda in January 2020. Here, six months later, no response from Tenda at all. And, as always with router bugs, it is likely that similar flaws exist in other firmware versions and other Tenda routers.
79 Netgear devices are buggy and the company did nothing
SOHO Device Exploitation
by Adam of Grimm June 15, 2020
Quoting: "This is just one more example of how SOHO device security has fallen behind as compared to other modern software ... As such, it’s trivial to overflow the stack buffer." The author found a pre-authentication stack overflow vulnerability in the Netgear R7000 router running firmware version 126.96.36.199. The vulnerability, which allows for remote code execution, has been present in the R7000 since it was released in 2013. But that is only the beginning. Adam was able to identify 79 different Netgear devices and 758 Netgear firmware images that included the buggy code. The oldest buggy firmware dated back to 2007. The vulnerability was reported to Netgear on May 7, 2020 and they seemed to have ignored it. Using assorted scripts, Adam created an exploit for each of the 758 buggy firmware images. Then, he tested his exploit on 28 of the vulnerable devices to ensure that it worked as expected. Among the confirmed buggy routers are the Netgear R6250, R6300v2, R6400, R7000, R8000, R8300 and the R8500. Criticizing Netgear he said "In addition to lacking stack cookies, the web server is also not compiled as a Position-independent Executable (PIE), and thus cannot take full advantage of ASLR. As such, it’s trivial to find a ROP gadget within the httpd binary ... that will call system with a command taken from the overflown stack."
Bugs in a very old D-Link router
D-Link leaves severe security bugs in home router unpatched
by Ionut Ilascu of Bleeping Computer June 12, 2020
The D-Link DIR-865L router was released in 2012 and is no longer supported for U.S. consumers. However, on the website for European countries, the status is "End of Sale" which means that it can no longer be purchased but it is still supported by the vendor. Researchers at Palo Alto Networks' Unit 42 found and reported six security vulnerabilities in the DIR-865L in late February 2020. Now, over three months later, D-Link released beta firmware that fixes three of the six flaws. Two bigger issues: 1) What about other models? Unit 42 warned that newer routers may be vulnerable to the same flaws because they share a common code base. A good router vendor will check for the same flaw in all their products. A bad router vendor will not. The response from D-Link said nothing about any other models. 2) Who cares about such an old router? Why is Unit 42 even looking at ancient consumer devices? In the US, the DIR-865L went out of support in Feb. 2016.
Sophos quickly issues patch for their firewalls
Hackers are exploiting a Sophos firewall zero-day
by Catalin Cimpanu for ZDNet April 26, 2020
Bad guys were found to be attacking a previously unknown SQL injection vulnerability in the Sophos XG enterprise firewall. Sophos learned about the problem on April 22nd when a customer reported something strange. They published an emergency security update on April 25th. The firewalls can self-update, though I doubt every user has that enabled. No surprise to learn that vulnerable firewalls had either their administration or User Portal control panel exposed to the Internet. The bug let bad guys steal files from the XG firewall, and those files could include usernames and hashed passwords for the firewall administrator, for the firewall portal admins and for user accounts used for remote access to the device. Bad guys could also learn the firewall's license and serial number, and see some user emails. Sophos researchers named the malware Asnarok. From what I have seen, the Sophos response was great. You could not ask for more. Not only did they fix the bug quickly, they also documented the heck out of the issue.
Multiple issues with OpenWRT
Uncovering OpenWRT remote code execution (CVE-2020-7982)
by Guido Vranken of ForAllSecure March 24, 2020
The OpenWRT package manager, opkg, does not check the SHA256 hash of anything it downloads. This is compounded by it downloading updates over HTTP rather than HTTPS. In addition, the opkg unpacker is buggy; malformed data leads to a variety of memory violations. opkg on OpenWrt runs as root with write access to the entire filesystem, so arbitrary code could be injected by means of forged .ipk packages with malicious payloads. Also vulnerable is the LEDE fork of OpenWRT. One of the bugs was introduced in February 2017. Fixes are available.
Two Zero Day bugs in DrayTek routers (Updated)
A mysterious hacker group is eavesdropping on corporate email and FTP traffic
by Catalin Cimpanu of ZDNet March 28, 2020
According to Netlab, the network security division of Chinese security firm Qihoo 360, bad guys have been hacking into DrayTek routers to eavesdrop on FTP and email traffic. They first observed this in early December 2019. There are two different zero-day flaws in three DrayTek Vigor devices, the 2960, 3900 and 300B. The bugs could allow for arbitrary code execution on a vulnerable system. This could allow an attacker to eavesdrop on network traffic, operate SSH and Web based backdoors, and create system accounts. One flaw is in the login mechanism and it allows attackers to hide malicious code inside the router's username field. This malicious code can grant the hackers control over the router. Next, the attackers started recording traffic coming to port 21 (FTP), 25 (email), 110 (email) and 143 (email). These are four very old protocols and they still use plain text. It is assumed the attackers were looking for FTP and email passwords. The second flaw is in the "rtick" process and attackers used it to create backdoor accounts on the hacked routers. Qihoo says that around 100,000 vulnerable DrayTek devices are online. DrayTek issued updated firmware six days after they learned of the problem. And, DrayTek impressed me with this " The issue only affects the Vigor3900 / 2960 / 300B and is not known to affect any other DrayTek products". This is rare, vendors usually fix only the devices with the reported problem.
Multiple flaws in multiple Netgear routers
Thousands of Netgear routers are at risk of getting hacked: What to do
by Paul Wagenseil of Toms Guide March 5, 2020
Nearly 50 Netgear devices need firmware patches ASAP. The devices are seven modem-router gateways, 40-odd routers (including some Nighthawk and Orbi models) and one range extender. The worst of the flaws lets attackers remotely install malware on one router. A "pre-authentication command injection security vulnerability" on five routers could also lead to total network takeover. For a number of the flaws Netgear has not provided specific details. Does your Netgear router need an update? Turns out, this is a hard question to answer. Netgear does a terrible job of communicating to its customers what each router's model number is. They hardly ever use the actual model number in their consumer marketing and packaging. For example, the AC4000 Nighthawk X6S Tri-Band WiFi Router is the R8000P. To find the model number, turn the device over and look at the sticker on the bottom. The update procedure differs among the various routers. The article has a full list of the buggy router model numbers.
Millions of Internet boxes are vulnerable
by Lyrebirds ApS January 11, 2020
What to do?
I suppose you could try and learn the firmware version that your modem or gateway is running and then try to find out if it has been patched for the Cable Haunt flaw. In the US, this is almost definitely a waste of time.
First, see if your Internet box uses Broadcom. If not, you are safe. The Toms Guide article below has links to pages that show this for Arris and Netgear devices. For other companies see approvedmodems.com. If that fails, perhaps look for the technical specs of your modem or gateway. Maybe try to contact the hardware manufacturer. If Broadcom ...
If you have a router/modem combination box, run nmap on the LAN side IP address looking at all 65,535 TCP ports. If you have a router and a modem as stand-alone devices, run the same nmap against 192.168.100.1. After the nmap scan, try to use HTTP and HTTPS to access every open port. The buggy Spectrum Analyzer looks like this on a Netgear modem. Found a Spectrum Analyzer? If so, nag either your ISP or the hardware vendor for fixed software. Lotsa luck (probably won't happen). Better yet, block access to the buggy device. If its a combination modem/router, there should be some sort of LAN side restrictions about which devices can logon to the box. For more, see the Security Checklist page here, the section on Local Administration. If you have a router and a modem as separate devices, you need a nerd to configure a defense. One option is something called a static route - some routers let you configure this, some do not. If your router supports firewall rules (rare), see my blog below about creating an outbound firewall rule to block modem access. As a rule consumer routers, such as AmpliFi from Ubiquiti or Google WiFi do not offer outbound firewall rules.
Multiple bugs in Ruckus Access Points
A ton of Ruckus Wireless routers are vulnerable to hackers
by Zack Whittaker of TechCrunch December 28, 2019
Despite the headline, the buggy devices are Access Points not routers. Security researcher Gal Zror discovered 10 bugs in Ruckus devices. Three are biggies. They are in the web interface of the Unleashed line of APs. The flaws let a bad guy take complete control of a vulnerable router remotely and without needing a password. As bad as bad gets. Patches have been issued but the routers do not self-update. Ruckus Cloud access points are not buggy. Neither are their SmartZone-enabled devices. This was made public at a presentation at the 36th Chaos Communication Congress called Lecture: Don't Ruck Us Too Hard - Owning Ruckus AP Devices. This surprised me. For one, its the first mention of Ruckus in my list of bugs. Second, Ruckus is a high end company. Then again, Cisco is also high end and their software has a terrible track record when it comes to bugs and flaws and vulnerabilities.
More buggy D-Link routers
D-Link DIR-859 —Unauthenticated RCE (CVE-2019–17621)
by Miguel Méndez Z. Decembe 24, 2019
Back in Oct. 2019, we learned of a Remote Code Execution bug in a single D-Link router, the DIR-859 (CVE-2019-17621). The bug could be exploited by anyone on the LAN to take full control of the router. Of course, many routers from the same company share the same firmware (operating system) so it was not a surprise when, in Nov. 2019, we learned that many more D-Link routers share the same bug. Some of the buggy routers are too old and will not be updated. Some have already had fixes released. Still more, are slated to have fixes released soon. These are the buggy models: DIR-818Lx DIR-822, DIR-823, DIR-859, DIR-865L, DIR-868L, DIR-869, DIR-880L, DIR-890, DIR-885, DIR-895. In some cases, the router firmware must be updated twice. Ugh. The vulnerability is in the code used to manage UPnP requests.
Four buggy TP-Link routers
TP-Link Archer Router Vulnerability Voids Admin Password, Can Allow Remote Takeover
by Grzegorz Wypych and Limor Kessem of IBM X-Force Red December 16, 2019
There are critical bugs in the TP-Link Archer C5 v4, Archer MR200v4, Archer MR400v3 and the MR6400v4. Are other TP-Link routers safe? Don't know. No one said anything about other routers having been tested. The bug lets a bad guy take full admin control of the router. First, the bad guy has to trick the router as to the source of a login request. This is not hard. Then, the bad guy simply has to provide a password that is the wrong length. If the password is too short, it locks out access to the router. If the password is too long, it voids the current password letting the bad guy login without a password. TP-Link never fails to impress. Firmware updates are available. However, as the article below by Paul Wagenseil details, the firmware update process is miserable. The Archer MR200, MR400 and MR6400 are LTE-based routers sold in the European Union. The Archer C5 AC1200 is a home Wi-Fi router, sold in many countries.
More buggy D-Link routers that will not be fixed
D-Link Adds More Buggy Router Models to 'Won’t Fix' List
by Tom Spring of ThreatPost November 19, 2019
A new bug in D-Link routers will not be fixed because the routers are too old to bother with (they are End-of-Life or EoL). The bug allows a bad guy, who does not know any passwords, to access the web configuration interface of the router. The buggy devices are: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L, and DIR-862. D-Link suggests disabling remote administration, resetting the affected routers and using a complicated router password. It is not clear if this bug is similar to the bug (CVE-2019-16920) that FortiGuard Labs reported last month. That bug impacted 10 of the same routers. Spring puts this bug in perspective, noting a long history of bugs in D-Link routers. A September 2019 bug can leak passwords. A May 2019 bug allowed DNS hijacking. In 2017, we learned that the D-Link DIR-130 was one of 25 routers that could be exploited by the CIA. Also in 2017, the 850L and AC1200 had multiple vulnerabilities that could allow a hacker to gain remote access and control of device.
Zero Day flaw in the D-Link DIR-878 router. Others too?
Tianfu Cup Round-Up: Safari, Chrome, D-Link Routers and Office 365 Successfully Hacked
by Elizabeth Montalbano of ThreatPost November 18, 2019
Hackers, at the annual Tianfu Cup gathering over the weekend, successfully compromised the D-Link DIR-878 router using a zero-day vulnerability. Note the plural use of the word hackers. The router was hacked by seven, yes, seven, different groups. It has been a few days and, so far, no response from D-Link on their security bulletin page. Will they acknowledge the flaw? Will they fix it? Time will tell. The bigger picture, however, involves other D-Link router. It is likely that other similar routers share the same buggy software. And, some recent history: in March 2019 the German Federal Office for Information and Security (BSI) issued a warning about bugs in the DIR-878 and the DIR-825. The bugs are easily exploited and let attackers bypass the logon processes and execute malicious code.
Ten D-Link routers that should be thrown away
Multiple D-Link routers vulnerable to remote command execution
by US Cert October 23, 2019
These 10 D-Link routers are buggy, will not be fixed and should be thrown away: DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835 and the DIR-825. A remote, unauthenticated attacker may be able to execute commands with root privileges on a buggy router. This can happen as the result of viewing a specially-crafted web page. The bug was publicly disclosed by Fortinet's FortiGuard Labs, same as below. This appears to be the same bugs as below, just that is has been found in six more routers.
D-Link won't fix bugs in four of its routers
D-Link Won't Fix Serious Security Flaw on Four Wi-Fi Routers
by Paul Wagenseil of Tom's Guide October 8, 2019
Beware the D-Link DIR-652, DIR-655, DIR-866L and DHP-1565 routers. They have critical bugs. An attacker halfway across the world could hijack these routers without needing a password. Everyone suggests throwing these routers away. I agree. End of Life is the techie term for the computing devices that are too old to bother with. As Seinfeld might have said: No bug fixes for you! Manufacturers win twice with routers that are deemed EoL: they don't have spend money fixing bugs and they motivate customers to buy new routers. Usually EoL devices are no longer sold. Not so with D-Link. Three of them can still be bought new from third-party sellers on Amazon's U.S. website. Is the same bug in any other D-Link routers? None of our business. Fortinet, which found the bug, does not say which or how many routers they tested. And, the D-Link response is limited to these four routers with no mention of any others.
Bugs Bugs Bugs - 125 in all
SOHOpelessly Broken 2.0
by Independent Security Evaluators September 16, 2019
My summary is on the News page.
Here we go again - another LAN side protocol available on WAN
Protocol used by 630,000 devices can be abused for devastating DDoS attacks
by Catalin Cimpanu of ZDNet August 27, 2019
Just as with UPnP all those years ago, routers (and IoT devices) are exposing a protocol meant exclusively for LAN-side use to the Internet at large. This time the protocol is WSD (a.k.a. WS-Discovery and Web Services Dynamic Discovery). Bad guys abuse WSD to create DDoS attacks. WSD listens on UDP port 3702 (some articles also referenced TCP port 3702). Like UPnP, WSD is a protocol for LAN side devices to discover each other and their capabilities. Is there a printer in the house? WSD communication starts with requests to the IPv4 multicast address 188.8.131.52. IPv6 uses FF02::C (link-local scope). Being exposed to the WAN is only one bug, the other is that devices should only respond to requests to these two IP addresses. WSD responses sometimes come from port 3702, sometimes from random high numbered ports. Akamai noted that most vulnerable devices were CCTV cameras and DVR systems. No article said anything about the failure of the routers to block these vulnerable devices. UPnP haunts us still.
Four router vendors refuse to fix bugs
Cross-Router Covert Channels
by Adar Ovadya, Rom Ogen, Yakov Mallah, Niv Gilboa and Yossi Oren of Ben-Gurion University August 2019
Researchers at Ben-Gurion University found multiple ways to communicate between the two Wi-Fi networks typically offered by a router. They refer to these two networks as Host and Guest, most people refer to them as Private and Guest. The research was presented at the 13th USENIX Workshop on Offensive Technologies (WOOT). They tested routers from TP-Link, D-Link, Edimax and Linksys and all the companies refused to fix anything. Quoting: "We sent a draft of our findings to the manufacturers of the routers ... during May 2019. During June 2019 the Belkin/Linksys security response team notified us that they do not intend to fix the vulnerability we disclosed. None of the other router vendors responded to our disclosure". As I say elsewhere on this site, don't use a consumer router. The bugs are pretty obscure. For example, on some routers, a DHCP NAK from one network is erroneously sent to the other network which can be used to send a small amount of data to the other network. They also discovered that quickly joining and leaving an IGMP group from the Private network caused an IGMP Membership Query packet to be sent to both the Private and Guest networks. This too can be used transfer data between the two networks. There were also some timing attacks.
Bugs found in multiple 4G Hotspots
Reverse Engineering 4G Hotspots for fun, bugs and net financial loss
by G Richter of Pen Test Partners August 10, 2019
A 4G hotspot is a router. The biggest difference is that it connects to the Internet via 4G rather than an Ethernet cable. Pen Test Partners found multiple vulnerabilities in several well known vendors Mi-Fi devices, including pre- and post-auth command injection and code execution. The vendors involved were generally poor at responding to disclosure attempts. ZTE was the worst, they responded that a device was end of life, so the bugs would not be fixed ... yet they were still selling it from their own online store! They also found bugs in Netgear and TP-Link devices.
Critical bugs in four TP-Link Wi-Fi Range Extenders
Critical RCE Vulnerability in TP-Link Wi-Fi Extenders Can Grant Attackers Remote Control
by Grzegorz Wypych of Security Intelligence June 18, 2019
Four TP-Link Wi-Fi extenders have a critical remote code execution (RCE) vulnerability. The bug lets a remote attacker get complete control over the device. The attacker does not need to login or authenticate to the device to exploit the bug. The problem is triggered with a malformed user agent field in HTTP headers. The buggy devices are the RE365 (sold in Europe), the RE650 (sold in the US, UK and Canada), the RE350 (same 3 countries) and the RE500 (sold in the US and Canada). Patches have been issued but device owners have to manually download them and install them. First, they have to insure the correct hardware version for the available firmware, then they have to get the firmware for their country. All processes on these devices run with root-level access which is just asking for trouble.
Still another critical bug in Cisco software
Cisco IOS XE Software Receives Fix Against High-Severity Flaw
by Ionut Ilascu of Bleeping Computer June 13, 2019
Far too much of this web page is devoted to bugs in Cisco software. They just released an updated version of their IOS XE operating system to patch a high severity bug - insufficient cross-site request forgery (CSRF) protections in the web-based user interface of the software. The bug can be exploited by an unauthenticated, remote attacker who could persuade an already logged in user of the web interface to follow a malicious link. The link could then perform arbitrary actions with the privilege level of the victimized user. If the victim is an administrator, bad guys could modify the configuration, run commands and even reload a vulnerable device. The good news is that a victim has to be logged in to the system before they can be exploited. Also, exploitation requires the HTTP Server feature to be active and it is not always active by default (this is version dependent).
Cisco screws up for the millionth time
Thrangrycat by Red Balloon Security May 21, 2019
Take a look at the bugs tracked on this site. Lots of Cisco issues over the last few years. Paraphrasing Red Balloon: There are two bugs that affect about 150 different Cisco devices. The first, known as Thrangrycat, allows an attacker to fully bypass the Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. This is due to multiple hardware design flaws in the TAm. The second is a remote command injection vulnerability against IOS XE version 16 that allows remote code execution as root. By chaining these, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm. The TAm is a proprietary Cisco hardware security module. It is the root of trust that underpins all other Cisco security mechanisms. Thrangrycat allows an attacker to make persistent modification to the TAm, thereby defeating the secure boot process and invalidating the chain of trust at its root. While the flaws are based in hardware, they can be exploited remotely. Since the flaws involve the design of the hardware, it is unlikely that any software patch will fully resolve the fundamental issues. Cisco released a patch for IOS XE and provided the Cisco IOS Software Checker to identify vulnerabilities in Cisco IOS and IOS XE. Cisco is working on patches for Thrangrycat, but notes that the patch will not be a straightforward update for most devices but instead will require "on-premise[s] reprogramming of a low-level hardware component." Patches for many routers, switches and network interface modules will be released between May 2019 and November 2019. As for detection and mitigation, Red Balloon will present this in a talk at BlackHat USA 2019.
TP-Link publicly shamed
Thousands of vulnerable TP-Link routers at risk of remote hijack
by Zack Whittaker of TechCrunch May 22, 2019
Thousands of TP-Link routers are vulnerable to a bug, and it took more than a year for TP-Link to publish the patches on its website. They created the patches, they just didn't publish them. The bug lets a low-skilled attacker to get full remote access to a vulnerable router. The bug was first disclosed to TP-Link in October 2017. Shortly thereafter, they released a patch for the WR940N router. But, the WR740N was vulnerable to the same bug and no patch was released for it. TP-Link was warned about this in January 2018, yet ... nothing until they were publicly shamed by TechCrunch.
Linksys found to be both incompetent and unconcerned with security
Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw
by Troy Mursch May 13, 2019
Thirty three Linksys routers are buggy and Linksys will not fix it. They tried to fix it five years ago, but they screwed that up. Yet another confirmation of the opinion I offered on this site from the get-go back in 2015 - avoid consumer routers. The flaw affects Linksys Smart Wi-Fi routers. It allows unauthenticated remote access to sensitive information and its easily exploited by bad guys with little technical knowledge. The routers leak information both about themselves and about every (yes, every) device that has ever connected to them. For connected devices, Linksys always leaks the MAC address, Device name ("TROY-PC") and Operating system. Sometimes it also leaks the device type, model number, and a description of the attached device. As for router information, it leaks the model number, hardware version, serial number, firmware release level, MAC address, the LAN side IP address, WAN settings, firewall status and DDNS settings. Leaking the MAC address lets bad guys determine the physical location of the router. Data provided by BinaryEdge, shows that 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public. Among the 33 buggy models are the E4200, EA2700, EA5800, EA6900, EA7300, EA8500, EA9200, WRT1900AC, WRT3200ACM, XAC1900 and WHW03 Velop. The full list is here. This is yet another in a long line of HNAP bugs. The bug can also reveal if a router is using the default password (thousands are) without even trying to login. The worst part is that Linksys tried to fix this five years ago but clearly screwed that up. Then, when contacted about it recently, they had no interest in fixing it properly. Yes, if you disable remote web access you block the information leak. However, Linksys Smart Wi-Fi routers require remote access for the Linksys App to function.
29 new Cisco Bugs
Cisco warns over critical router flaw
by Liam Tung of ZDNet April 18, 2019
Cisco has disclosed 29 new vulnerabilities, 5, 6 or 7 of which are doozies. Its too much for tech reporters to digest. One of the critical bugs is in the ASR9000 Series Aggregation Services Routers. The bug is as bad as bad gets, it can be exploited remotely by a bad guy without a password. There is a patch and a workaround. The other critical bugs affect Cisco Wireless LAN Controller software. Another bug is in the Cisco Expressway Series and Cisco TelePresence Video Communication Server. Another biggie is in Cisco Aironet Series Access Points. Finally, there is a critical bug in the Cisco Cluster Management Protocol code in Cisco IOS and Cisco IOS XE. As with the first bug a remote bad guy without a password can obtain full control of vulnerable devices. If the devices accept Telnet connections, a bad guy who sends malformed Telnet options while establishing a connection can execute arbitrary code. The Threatpost article below offers some context, noting that earlier this month, Cisco re-patched flaws for two high-severity bugs after their first attempt was botched. And, they reported two new router bugs with no fixes or workarounds. Just what you want in a router vendor.
TP-Link, yet again
Buffer Overflow Vulnerability in TP-Link Routers Can Allow Remote Attackers to Take Control
by Grzegorz Wypych and Limor Kessem of IBM Security Intelligence April 8,2019
There is a buffer overflow flaw in the TP-Link TL-WR940N and TL-WR941ND routers. No other models were tested, so it is likely that others in the same family are vulnerable too. These models are old (they are 300Mbps Wi-Fi N) and have been discontinued. The bug allows bad guys to take control of the device from a remote location. Sounds worse than it is. You have to already be logged on to the web interface to exploit the flaw. And, the flaw is in the web interface, so if Remote Administration is disabled, as it often is, then it can not be exploited from overseas. TP-Link issued patches. Why are so many of these reports about ancient routers? Perhaps because if you break a $30 router while hacking it, no big deal.
Three bugs in a Verizon FIOS router
Verizon Fios Quantum Gateway Routers Patched for Multiple Vulnerabilities
by Tenable Research April 9, 2019
Tenable has discovered 3 vulnerabilities in the Verizon Fios G1100 Quantum gateway/router. A Command Injection flaw can only be exploited by a user already logged on to the device. It is exploitable from the LAN side and remotely if Remote Administration is enabled. Because HTTPS is not enforced in the web interface, an attacker on the LAN side can intercept login requests using a packet sniffer and then replay the requests to get admin access to the web interface of the router. Packet sniffing a login request also provides a salted password hash (SHA-512). An unauthenticated attacker can retrieve the password salt simply by visiting a URL in a web browser. Thus, an attacker could perform an offline dictionary attack to recover the original password. Of course, the focus on passwords is because insecure firmware, like this, always uses the same userid. By now, most Verizon FIOS customers should have the updated firmware. If you have a G1100 you should verify this. The real lesson here is not use hardware from an ISP. See the Disclosure Timeline in the first article below and judge the Verizon repsonse for yourself.
TP-Link ignores a security problem
TP-Link 'smart' router proves to be anything but smart - just
like its maker: Zero-day vuln dropped after silence
by Thomas Claburn of The Register March 28, 2019
90 days ago Matthew Garrett, a Google employee, informed TP-Link of a bug in their all-in-one SR20 Smart Home Router. TP-Link ignored the problem. To me, this is the more important issue, much more interesting than the bug itself. Garret wrote: "I reported this to TP-Link in December via their security disclosure form, a process that was made difficult by the "Detailed description" field being limited to 500 characters. The page informed me that I'd hear back within three business days - a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back." The SR20 is a combination Zigbee/ZWave hub and router. Ignoring security problems is one of three mistakes TP-Link made. They also ship devices with debug daemons, software intended for testing, that does not belong in a released product. The software is the TP-Link Device Debug Protocol (tddp) and it has had multiple vulnerabilities in the past. This bug allows allows arbitrary command execution, as root, without authentication, from devices on the LAN. TDDP listens on the WAN side too, but the default firewall configuration blocks it there. To better control access to the router from LAN-side devices see the Local Administration section of my security checklist. Garrett also said that @CoreSecurity had the same experience when they reported TDDP flaws.
Bugs in two D-Link routers found by the BSI in Germany
D-Link investigates router vulnerability after German security agency warning
by CET news March 1, 2019
D-Link is investigating bugs in the DIR-825 and DIR-878 after a warning from the German Federal Office for Information and Security (BSI). The BSI assigned a severity rating of "high". The bugs allow attackers to bypass the logon processes and execute malicious code. The bugs are easily exploited. The DIR-825 got its last update in 2015, the DIR-878 was last updated in August 2018. My guess (time will tell) is that these bugs will not be fixed.
Can Cisco be trusted?
Multiple vulnerabilities in Cisco Identity Services Engine (Unauth XSS to RCE as root)
by Pedro Ribeiro of Agile Information Security and Dominik Czarnota First published Jan 20, 2019, Last Updated Feb 5, 2019
I don't care much about the details here, and the bugs are not in a router. But Cisco makes routers and the bigger issue, to me, is just how trustworthy Cisco is. They appear on this bug list often. Would you buy a router from them? Quoting: "ISE is distributed by Cisco as a virtual appliance. We have analysed version 184.108.40.2067 and found three vulnerabilities ... By putting them all together, we can achieve remote code execution as root, provided we can trap an administrator into visiting the page vulnerable to the stored cross site scripting." Agile dealt with Cisco about these bugs and it did not go well, leading to Ribeiro saying "These actions show Cisco is incredibly negligent with regards to the security of their customers. They are still shipping (and recommending) a product version vulnerable to unauthenticated remote code execution, with a fully working public exploit and no way to track fixes or fixed versions for these vulnerabilities." Ouch.
Three bugs in two Cisco routers
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
a Cisco Security Advisory January 23, 2019
This happened fast. In September 2018, three bugs were reported to Cisco by German security firm RedTeam Pentesting. Cisco released patches for the bugs on January 23, 2019. The next day, proof of concept software was released that exploited the bugs. The day after that, bad guys were scanning for vulnerable Cisco routers. The bugs are exploitable on both the LAN and WAN side using just HTTP and/or HTTPS GET requests. The first two bugs expose information about the router to anyone who asks - no password is needed. One of these bugs exposes the Admin password. With that, bad guys can abuse the third bug to run any Linux command on the box. The vulnerable URLs are
where 220.127.116.11 is either the LAN side or WAN side IP address of the router. The bugs are CVE-2019-1653 and CVE-2019-1652. The Cisco RV320 and RV325 routers are popular among both ISPs and large enterprises. On the WAN side, the web interface is exposed on TCP port 8007. Information about attacks on these bugs is on the News page.
Many Cisco switches have a backdoor account
Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open
by Tara Seals of Threatpost January 18, 2019
These Cisco Small Business switches are vulnerable to full remote takeover thanks to a backdoor account: the 200 and 250 Series Smart Switches, the 300 and 350 Series Managed Switches, the 350X, 500 and 550X Series Stackable Managed Switches. There is no patch, but there is a work-around. The most interesting question is whether this is a bug or a feature. It looks like a bug in that it has an official CVE number (CVE-2018-15439) and a critical base CVSS severity rating of 9.8 (really bad). The devices ship with an in-built privileged user account that is used for the initial login. This account can not be removed. It is defined in a software-internal data structure and its not visible in either the running configuration or the startup configuration of an affected device. Bad guys can use this account to log in to a vulnerable device and execute commands with full admin privileges. The work-around is creating a user account with access privilege level of 15 (or higher?). But, if that account gets deleted, the hidden one works again, without notifying system administrators. It sure feels like a back door that can be easily hidden in case the virtual cops are coming. Why else hide the existence of this in-built account? Also, there have been many other backdoors discovered in Cisco software over the last year or so. It has been about 3 months and still no patch.
Two critical bugs in Synology routers
Synology Security Advisories
by Synology December 26, 2018
Bug Synology-SA-18:65 SRM: "A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Router Manager (SRM)." No details are given. The bug was found by Uriya Yavnieli of VDOO. There is a fix for SRM 1.2 only, earlier versions of SRM are not addressed. The fix was released Dec 26th in firmware version 1.2-7742-5.
Bug Synology-SA-18:62 is in Netatalk versions prior to 3.1.12. The bug allows remote unauthenticated attackers to execute arbitrary code. The bug allows an out of bounds write in dsi_opensess.c due to the lack of bounds checking. This is also fixed in SRM 1.2 version 1.2-7742-5, same as the other bug.
Multiple D-Link routers disclose passwords
[CVE-2018-18007] atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials
by Tyler Cui Dec 16, 2018
The buggy device is the D-Link DSL-2770L, a DSL modem/router. The bug: "An authenticated user can visit the page atbox.htm, for example, http://victim_ip/atbox.htm, and obtain clear text password of user admin at the line: else if(ff.curpd.value != '__password__') location='atbox_pd.htm' "
Disgraceful coding by D-Link. No excuse for this at all. Also coming down the pike:
CVE-2018-18008: This vulnerability affects D-Link DSL-2770L, DIR-140L, DIR-640L, DWR-116, DWR-512, DWR-555, and DWR-921 routers. An unauthenticated user can visit the page 'spaces.htm' and obtain the admin account password in clear text
CVE-2018-18009: This vulnerability affects D-Link DIR-140L and DIR-640L routers. A remote unauthenticated user can access the file 'dirary0.js' and obtain the admin account password in clear text.
The bug descriptions all say both that the attacker has to be authenticated and that the attacker does not have to be authenticated. It is not clear if these bugs can be exploited remotely or not. D-Link was notified of the bugs in June 2018 and never created a patch. The pattern is clear. This programming bug is so bad, really so amateurish, that avoiding D-Link devices altogether seems the smart thing to do.
High end Huawei routers leak password information
Information Disclosure Vulnerability CVE-2018-7900 Makes It Easy for Attackers to Find Huawei Devices at Risk
by Ankit Anubhav of NewSky Security December 19, 2018
Simply put, everyone is at fault. Huawei for creating the vulnerability and the companies running Huawei routers for using default credentials. Thanks to bug CVE-2018–7900 bad guys can tell if a Huawei router is using the default password without even trying to logon to the router. All they need do is examine the HTML for the logon page. Even easier, ZoomEye and/or Shodan search engines can, if you know what to look for, report all Huawei routers using default credentials. The problem was reported to Huawei in Sept. 2018 and they have issued a patch. The vulnerable routers are high end devices used by ISPs and the patch has not yet been installed everywhere. Which specific routers are vulnerable was not disclosed.
Three buggy Trendnet routers will not be fixed
Multiple vulnerabilities found in Trendnet routers and IP Cameras
by Prashast Srivastava, Mathias Payer, Howard Shrobe and Hamed Okhravi December 7, 2018
The bugs are in these TRENDnet routers: TEW-634GRU, TEW-673GRU and TEW-632BRP. Two IP cameras were also buggy. For all the flaws, it is not clear if they can be exploited remotely or not. One flaw requires the attacker to already be logged in to the router, but another one does not require any authentication. One flaw makes it possible to execute arbitrary commands on the router with root privileges. The routers are old (End of Life) and will not be patched.
Four bugs in the TP-Link TL-R600VPN
From directory traversal to direct travesty:
Crash, hijack, siphon off this TP-Link VPN box via classic exploitable bugs
by Richard Chirgwin of The Register November 20, 20189
Cisco's Talos found four security vulnerabilities in the TP-Link TL-R600VPN router. A denial-of-service flaw and a file-leaking bug are both due to input sanitisation mistakes. The directory traversal bug lets anyone read any file on the system. Parsing bugs led to two remote code execution (RCE) flaws that can be exploited by a logged-in user. However, the other two flaws can be exploited by anyone that can access the web interface. Definitely exploitable on the LAN side, and if remote administration is enabled, then exploitable on the WAN side too. The article said that fixes are available, but that does not seem to be true. On March 29, 2019 I found the newest firmware for the vulnerable hardware versions 2 and 3 to have been released in August 2016 and August 2014, well before these bugs were found.
A bug in an old D-Link router
CyRC analysis: CVE-2018-18907 authentication bypass vulnerability in D-Link DIR-850L wireless router
by the Synopsys Cybersecurity Research Center November 15, 2018
The D-Link DIR-850L router was initially released in early 2013. Hardware version A (there is also a B) has a bug that lets attackers get onto its Wi-Fi network with having to know the WPA2 password. D-Link issued a patch three months after the bug was first reported. The only router tested for this flaw was the DIR-850L which Amazon is currently selling (in the US) for $60. No one has said anything about whether similar models might also be affected. Seems like no one has bothered testing other models. The model in question was chosen at random, the researcher was looking into something unrelated and just happened to have this particular router available to him. So, it is quite possible that other D-Link routers are also vulnerable. And, speaking of D-Link, lets not forget that the Federal Trade Commission (FTC) filed a lawsuit against D-Link early in 2017 complaining of assorted bad security practices. There will be a trial in January 2019. On a related note, I tried to view the tech support page for the DIR-850L router but it would not load in my browser. D-Link uses TLS 1.0 on their tech support site. This is a very old and known buggy protocol and I had disabled its use in my browser.
Is this a good thing?
Cisco removed its seventh backdoor account this year, and that's a good thing
by Catalin Cimpanu for ZDNet November 7, 2018
For the seventh time this year, Cisco has removed a backdoor account from one of its products. Five of the seven were discovered by Cisco's internal testers. The company has been reviewing the source code of all of its software since December 2015. In an attempt to make George Carlin proud, Cisco refers to backdoor accounts as "undocumented, static user credentials for the default administrative account" or "the affected software enables a privileged user account without notifying administrators of the system."
Bugs in Xiaomi Mi Router 3
Hack Routers, Get Toys: Exploiting the Mi Router 3
by Shaun Mirani of Independent Security Evaluators November 6, 2018
There are three bugs in the Xiaomi Mi Router 3 running firmware version 2.22.15. Two are command injection flaws, the third is reflected XSS. The command injection flaws allow an authenticated user to run arbitrary system commands with root privileges. The bugs were reported to Xiaomi in June. And, that's where it ends. The article is, frankly, amateurish. It does not say if the flaws are exploitable on the LAN side, the WAN side or both. It does not say if the XSS flaw can be exploited by an un-authenticated user. It does not say anything about fixes from Xiaomi.
Bleeding Bit bug in high end Access Points
Bluetooth bugs bite millions of Wi-Fi APs from Cisco, Meraki, and Aruba
by Dan Goodin of Ars Technica November 1, 2018
Yes, the bugs are in Access Points and not routers. Yes, the bugs are in high end enterprise devices rather than consumer routers. So, why is it included here? I felt like it. Millions of Wi-Fi access points sold by Cisco, Meraki, and Aruba a critical Bluetooth bug that could allow attackers to run install and run malware on the devices. The bug was found by Armis. The malware could get access to all subnets, that is, it would not be stopped by a VLAN. The bug is in Bluetooth Low Energy (BLE), in software from Texas Instruments and they were aware of the issue, but they were not aware that it could be exploited in such a malicious manner. Why would a Wi-Fi Access Point support Bluetooth in the first place? Fancy features. Retailers can use them to track customers inside stores by monitoring the Bluetooth beacons sent by smartphones. Not me, Bluetooth is always disabled on my phone. Meraki and Aruba have issued patches. The real-world likelihood of this being exploited is debatable. BLE is enabled by default on some, not all, vulnerable Cisco and Meraki APs. Also, the bug requires a scanning feature to be enabled and it is disabled by default on all vulnerable devices.
A second bug has to do with an over-the-air firmware update feature of Aruba APs. The feature exists to ease firmware updates while developing products. It was never intended to be included in production devices. But, Aruba makes a password-protected version of the update feature available in their series 300 APs. Password? Smashword. The password used across all the devices is identical. Way to go Aruba. An attacker can learn the password by sniffing a legitimate update or reverse-engineering the device. Game over. Bad guys can then install any firmware they want.
Tin foil hat: a reader comment at Ars raised an issue that I first heard at a security conference this past summer. What if the removal of 3.5 mm audio ports in phones was to force more people to keep Bluetooth enabled, and thus, keep them traceable? If that is true, we won't know for at least 30 years.
Yet another ISP behaving badly
We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70'. Our survey says... Top answer!
by Chris Williams of The Register October 26, 2018
A Wi-Fi router (4GEE HH70 gateways) used by British mobile network EE has a hidden backdoor account with a hard-coded username and password. The account is accessible via SSH from the LAN (inside) side of the router. The devices run OpenWRT and the account is root. The 4GEE home gateway connects to EE's mobile phone network. They are used by people who live in rural areas without fast wired connectivity. When the problem was reported to EE they blew it off, until The Register got involved. That said, it was still not clear whether a patch had been rolled out or not. After shaming EE, The Register learned that they did issue a patch, but customers have to install the new firmware themselves.
New Cisco flaw
Cisco zero-day exploited in the wild to crash and reload devices
by Catalin Cimpanu for ZDNet October 31, 2018
Cisco has revealed the existence of a zero-day vulnerability affecting products that run Adaptive Security Appliance and Firepower Threat Defense software. The flaw allows an unauthenticated, remote attacker to cause a device to reload or trigger high CPU usage, resulting in a denial of service. The vulnerability resides in the Session Initiation Protocol (SIP) inspection feature. The vulnerability has been exploited in the wild. There is not yet a patch available, but there are mitigations, the most obvious being to disable SIP inspection. Another defense is to block the bad guys IP address (pretty lame). Finally, in the attacks seen to date, the "Sent-by Address" has been all zeros, so these can also be filtered. Known vulnerable devices are: 3000 Series Industrial Security Appliance, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance, Firepower 2100 and 4100 Series Security Appliance, Firepower 9300 ASA Security Module and FTD Virtual.
Nov. 6, 2018: Still no patches released.
Krack is back - new Wi-Fi issues get no press coverage
Auditing KRACKs in Wi-Fi
by Mathy Vanhoef of imec-DistriNet, KU Leuven September 2018
Last year we had the Krack vulnerability in WPA2 and everyone fixed it, or so we thought. In certain cases, attacks are still possible according to newly published research from Mathy Vanhoef and Frank Piessens. Vanhoef discovered the flaw initially. They report on three problems. First, buggy bug fixes. Second, they discovered new techniques to bypass the official defense against KRACK, allowing an attacker to replay broadcast and multicast frames. However, they do say that this can only be abused to reinstall the (integrity) group key, and it is non-trivial to execute in practice. Third, they disclosed easier and more effective techniques to attack unpatched Wi-Fi devices. And, for good luck, they explain in more detail how to abuse certain vulnerabilities that were disclosed last year. The tech press has ignored this, perhaps because they write that " most users should not worry ... our new paper and results are not as serious as the original key reinstallation attacks."
Still, they inspected patches and open source code and shamed Apple: macOS was found to re-use the SNonce during rekeys of the session key (this is beyond me) and iOS did not properly install the integrity group key (beyond me too). They write that these bugs have a similar impact as the original KRACK attacks. And, Apple never owned up to their mistake. Their patches to their patches are not mentioned in Apple's security update notes. Their tests showed that the code is finally correct in iOS 12.0 and macOS High Seirra 10.13.3 (maybe earlier).
In addition, some Wi-Fi devices accept replayed message 4's of the 4-way handshake. They cited more than 100 devices (routers, APs, wireless cameras, wireless network extenders, home automation switches, NAS devices and smart power plugs) that use the MediaTek MT7620 chip, such as the Asus RT-AC51U router as being vulnerable. An attacker can abuse this to trivially trigger key re-installations against the router, without having to be a man-in-the-middle. This makes it possible to decrypt, replay, and possibly forge frames. MediaTek has promised a fix sometime in the future.
Looking forward, they note that WPA3 does not prevent key re-installation attacks because it still uses the 4-way handshake (in combination with the new Dragonfly handshake). Any particular implementation of the 4-way handshake may be vulnerable to KRACK.
Bugs in Linksys E Series routers
Vulnerability Spotlight: Linksys E Series Multiple OS Command Injection Vulnerabilities
by Cisco Talos October 16, 2018
Three vulnerabilities are confirmed in multiple Linksys E Series wireless routers with various firmware versions. Exploiting these vulnerabilities requires the attacker to have already authenticated with the device. Still, they do allow a bad guy to obtain full control over a router, which would then allow for the installation of malicious code. Which models? The only ones mentioned are the E1200 and the E2500 both of which have patches available. The vulnerability state of other E Series routers is not clear (to me at least).
Another huge security flaw for Cisco
libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018
by Cisco October 19, 2018
Quoting "A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system." Cisco is currently investigating which products are vulnerable.
D-Link shows how much they care about security
Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage
by Richard Chirgwin of The Register October 17, 2018
First sentence: "Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched." Just this one sentence is enough to make a thinking person avoid D-Link routers. D-Link was notified of these bugs in May 2018 and has, to date, done nothing. Eight devices are known vulnerable. Six of them will not get fixes because D-Link deems them too old to bother with. They are: DWR-140, DWR-512, DWR-640, DWR-712, DWR-912 and DWR-921. D-Link has said they will fix the DWR-116 and DWR-111 but after all this time, they have not done so. The bugs, found by Błażej Adamczyk include storing passwords in plaintext, yet another indicator of how much D-Link cares about security. One person does not have access to an entire product line, so it is likely that other D-Link routers which the researcher could not test are also vulnerable.
Still more MikroTik bugs
Tenable Research Advisory: Multiple Vulnerabilities Discovered in MikroTik's RouterOS
by Jacob Baines of Tenable October 7, 2018
Frankly, I can't keep up with the bugs in MikroTik devices. Suffice it to say, that owning a MikroTik device dooms you to a life of constant patching. The four bugs that Baines found are: an authenticated remote code execution (CVE-2018-1156), a file upload memory exhaustion (CVE-2018-1157), a www memory corruption (CVE-2018-1159) and a recursive parsing stack exhaustion (CVE-2018-1158). The first one is the most critical as it allows for full system access. The bugs exist in RouterOS 6.42.3, released in May 2018. The bugs are patched in RouterOS version 6.40.9 (released Aug 20, 2018), version 6.42.7 (released Aug 17, 2018) and version 6.43 (released Sept. 6, 2018). And, there is more too.
Baines presented his research Oct 7, 2018 at the DerbyCon conference in Kentucky. He disclosed that RouterOS has a somewhat hidden developer backdoor account and he was not the first person to discover it. Moreso, he expanded the exploitation of a previously disclosed path traversal vulnerability, CVE-2018-14847. His new approach let him extract the admin password and create an "option" package to enable the developer backdoor. Thus, a bad guy can connect to Telnet or SSH using the root user "devel" (the back door account) with the admin password. Mikrotik patched the path traversal bug in April 2018. However, it was not previously disclosed that the bug could be leveraged to write files. He created an exploit for Winbox, a Windows GUI application for MikroTik’s RouterOS software. MikroTik created their own encryption and their own protocol for talking to their RouterOS system. Baines and others have figured out the protocol. A recent scan by Tenable Research showed that only 30 percent of vulnerable devices have been patched.
Multiple bugs in TP-Link Wi-Fi Extenders
From Bad to Worse: Firmware Vulnerability Detection with the Centrifuge Platform
by Craig Heffner of Refirm Labs August 13, 2018
This story starts with a command injection vulnerability published for the TP-Link WL-WA850RE Wi-Fi Range Extender. The bug grants a remote attacker complete access to the device, but it requires administrative credentials. Using software from his company, the Centrifuge Platform, Heffner found a more serious bug that allows a remote attacker to completely control the device even without prior knowledge of the administrative credentials. The vulnerability affects multiple TP-Link products, including devices connected to the Internet and therefore susceptible to remote attack. At first, Heffner found tons of calls to strcpy with stack addresses as the destination. Then he put the httpd binary into a disassembler. In the previously known bug, the wps_setup_pin value can be used to exploit both a stack-based buffer overflow and command injection. But, the vulnerable code sits behind an authentication check. So, he looked for HTTP requests that do not require authentication. He got a list of 24 function handlers that do not require authentication. The most interesting one was: /fs/data/config.bin which generates the backup configuration file. Yes, an un-authenticated user can dump a file with the admin password. The config file is compressed and DES encrypted. But, TP-Link has been re-using the same encryption key for years. After decrypting the config file, Heffner found the admin password was stored as an MD5 hash which can be directly fed into the web interface of the router. Attackers do not need to know the plain text password. Heffner wrote: "Thanks to vendor code reuse, bugs like these are rarely isolated to a single product (or even to a single OEM!)." So, he went looking for other TP-Link products that might be affected, again using software from his company that scans firmware for known vulnerabilities. Other vulnerable range extenders are the: RE305, RE450, TL-WA830RE, TL-WA850RE and the TL-WA855RE. Heffner found many of these were directly accessible from the Internet. He developed a proof of concept exploit script that grabs the configuration file, decrypts it, decompresses it, authenticates to the target device, and exploits the command injection bug to start a telnet server on port 8080. It appears that little, if any, work has been done by either researchers or TP-LInk into whether other devices are affected by these bugs. TP-Link was told of all this but there are, as of now, no patches. It is not clear if they responded to Heffner at all.
New IKE VPN flaw affects Cisco, Huawei and others. Patches available.
Cisco Patches Its Operating Systems Against New IKE Crypto Attack
by Catalin Cimpanu of Bleeping Computer August 13, 2018
Any Cisco IOS or IOS XE device that is configured with the "authentication rsa-encr" option is vulnerable to a newly discovered attack on IKE. The Cisco IOS XR operating system is not affected. The bug stems from the fact that the software responds incorrectly to decryption failures. The bug lets bad guys attack the first Phase of IKE and, if successful, attackers are able to impersonate another IPsec endpoint or be an active man-in-the middle. It is not possible to recover data from an already established IPsec session. The attack also works against the IKEv1 implementations of Huawei, Clavister and ZyXEL. All companies were previously informed and issued patches.
Huge bug in Juniper's Junos OS
Security Bulletin: Junos OS: A privilege escalation vulnerability exists where authenticated users with shell access can become root (CVE-2018-0024)
by Juniper July 11, 2018
This is a doozy. An authenticated unprivileged attacker can gain full control of the system thanks to an Improper Privilege Management vulnerability in a shell session. The flaw is in multiple versions of the OS: 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1X49. Affected platforms: EX Series, QFX3500, QFX3600, QFX5100, SRX Series. This issue was found during internal product security testing or research. Fixes have been released. This was but one of a large number of bug fixes just released by Juniper. See their Security Advisories page for the rest.
After 2 years, 3 bugs in ADB hardware finally fixed
Year-Old Critical Vulnerabilities Patched in ISP Broadband Gear
by Tom Spring of Threatpost July 5, 2018
In June of 2016, SEC Consult Vulnerability Lab identified three critical bugs in Switzerland-based ADB routers and gateways. Here we are, two years later and the bugs are finally being publicly disclosed and fixed. ADB manufactures hardware for over two dozen communications firms, including Cox Communication and Charter Communications in the US. Bug 1 is a local root jailbreak that can be exploited thanks to a network file sharing flaw. It lets an attacker get full access to the device with highest privileges. Oopsie. Bug 2 lets an attacker access device settings otherwise forbidden to the user. Manipulated settings, might, for example, turn on the Telnet server even if the ISP had disabled it. Bug 2 requires the bad guy to have a user account, but the default account from the ISP or printed on the device, would suffice. Bug 3 is a privilege escalation flaw via Linux group manipulation. It can grant an attacker access to the command line interface, even if it was previously disabled by the ISP. Every CLI is not the same, but the CLI might offer access to all the configuration settings. All the bugs now have patches available, for those that know to look for them. Neither Cox nor Charter returned Threatpost inquiries on if or how many of their customers may have been impacted by the vulnerabilities. Of course not, the fewer customers that know about this the better.
Netgear fixes many bugs
Netgear Security Advisories
by Netgear June 22, 2018
As before, another case of the glass being half empty or half full. Netgear has fixed many bugs in their routers. At some point, however, you have to wonder if their routers are like Flash, a never ending source of bugs. Still, they do seem to make an honest effort to fix things, they are very public about the bugs, and they have a security newsletter announcing their bug fixes, so give them credit for that. The patches are:
6/22/2018 Security Advisory for Denial of Service on Some Routers, PSV-2017-3168
6/22/2018 Security Advisory for Denial of Service on Some Routers, PSV-2017-3169
6/22/2018 Security Advisory for Sensitive Information Disclosure on GS810EMX, PSV-2018-0220
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2017-3166
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3160
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3159
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3158
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3157
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3156
6/22/2018 Security Advisory for Post-Authentication Stack Overflow on Some Gateways and Routers, PSV-2017-3155
6/22/2018 Security Advisory for Post-Authentication Buffer Overflow on Some Gateways and Routers, PSV-2017-3154
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3152
6/22/2018 Security Advisory for Pre-Authentication Buffer Overflow on Some Gateways, Routers, and Extenders, PSV-2017-3136
6/22/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-3133
6/22/2018 Security Advisory for Stored Cross-Site Scripting on Some Gateways and Routers, PSV-2017-3101
6/21/2018 Security Advisory for Post-Authentication Buffer Overflow on Some Gateways, Routers, and Extenders, PSV-2017-2460
6/21/2018 Security Advisory for Post-Authentication Command Injection on Some Gateways and Routers, PSV-2017-2248
6/21/2018 Security Advisory for Security Misconfiguration on Some Gateways and Routers, PSV-2017-0429
6/14/2018 Security Advisory for Pre-Authentication Command Injection on Some Gateways, Routers, and Extenders, PSV-2016-0074
Cisco has some serious explaining to do
Cisco Removes Backdoor Account, Fourth in the Last Four Months
by Catalin Cimpanu of Bleeping Computer June 8, 2018
For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products. This hardcoded password was found in their Wide Area Application Services (WAAS). WAAS is WAN traffic management. software that runs on Cisco hardware. Calling it a password is a bit off, there was a hardcoded, read-only SNMP community string in the configuration file of the SNMP daemon. Anyone knowing the string can retrieve stats and system info from affected devices. Again, anyone can abuse this, all you needed to know is the character string. It provides stats and system information via SNMP. This was a very well hidden secret, which has to make anyone wonder how it came to be. The existence of the secret SNMP community string was hidden from device owners. It was even hidden from people with an admin account on the device. Go figure. It was discovered by Aaron Blair from RIoT Solutions as he was researching a different bug. The second bug elevated a normal admin account to root access and once a root user, he could see the secret SNMP string. The hidden string was just removed.
More Cisco bugs
Cisco Patches Critical Flaws in IOS XE and Prime Collaboration Provisioning
by Lucian Constantin June 8, 2018
These are bad. IOS XE is the Cisco operating system for networking devices such as routers. It has a critical flaw in its authentication, authorization and accounting (AAA) security services. The bug is due to incorrectly parsing usernames during the authentication process. It can be exploited by unauthenticated, remote attackers to execute arbitrary code on the affected devices. Yikes. They also fixed a critical vulnerability in PCP (Prime Collaboration Provisioning). An open TCP/IP port in the Network Interface and Configuration Engine (NICE) service, gave attackers access to the Java Remote Method Invocation (RMI) system. This, in turn, let bad guys perform malicious actions. In addition to these critical bugs, Cisco fixed five other high-risk flaws in PCP this week. And, they fixed high-risk bugs in their Web Security Appliance; Identity Services Engine; Network Services Orchestrator; IP Phone 6800, 7800 and 8800 Series; Cisco Meeting Server and Adaptive Security Appliance. Bugs bugs bugs.
Critical bug in Cisco ACS has been fixed
Cisco fixes critical bug that exposed networks to hackers
by Zack Whittaker for ZDNet June 7, 2018
Technically, not a router bug, but from Cisco and network related. A critical bug in the Cisco Secure Access Control System (ACS), which system administrators use to authenticate users across a network, could have allowed hackers to remotely break into corporate networks. The bug was reported to Cisco by Positive Technologies. An attacker exploiting the bug could gain near-unfettered access to a network, including control of routers and firewalls. This, in turn, could allow interception and modification of network traffic and grant access to closed-off sensitive areas of a network. The bug was fixed in May 2018. ACS reached end-of-life in 2017.
VPNFilter - a very big deal
VPNFilter router malware - just the bad stuff
by me June 4, 2018 (last updated June 8th)
VPNFilter is both malware and a botnet. It infects routers from Linksys, MikroTik, Netgear, TP-Link, ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. It also was found on NAS devices from QNAP. For the most part we do not know the bugs in each router that the malware exploited. However, everything that has come out in the first two weeks after the initial announcement, points to the bad guys exploiting known bugs. No zero day flaws were needed. Most of my coverage is on the News page.
Comcast leaks customer Wi-Fi passwords and network names
Comcast website bug leaks Xfinity customer data
by Zack Whittaker for ZDNet May 21, 2018
Technically, this is not a router bug, but it's close enough. The Comcast website (register.be.xfinity.com/activate), which was/is used by customers to set up their home services, could be hacked to display a customers home address, Wi-Fi network name (SSID) and Wi-Fi password. And, not just display, an attacker could also change the SSID and/or Wi-Fi password. But, the issue was only for customers using equipment from Comcast. Those with their own routers were safe. An attacker only needed to provide the customer account number and their house or apartment number. If you lived at 123 Main Street, all the attacker needed to know was 123. Comcast claimed they fixed the problem, but we have no idea how long this vulnerability existed. For more on why not to use a router from any ISP see the ISP routers page.
Bug in old D-Link DSL gateways was never fixed, now being abused
Widely used D-Link modem/router under mass attack by potent IoT botnet
by Dan Goodin of Ars Technica June 20, 2018
Bad guys are exploiting a bug in very old D-Link DSL-2750B DSL gateways in an attempt to make them part of the Satori botnet. The bug has been known for roughly 2 years but the devices have been abandoned by D-Link and the ISPs that gave them out. If you have such a device, it needs to be replaced. This is yet another reason to not use any hardware from your ISP, when possible. The bug allows remote command execution without any authorization needed. The vulnerability can be exploited using the "cli" parameter that directly invokes the "ayecli" binary. It is also possible to retrieve the admin password, wifi password, etc. Also covered in the Router News page.
D-Link caught with poor security, yet again
Backdoors in D-Link's backyard
by Denis Makrushin of Kaspersky SecureList May 23, 2018
Round up the usual suspects. Yet another D-Link router is vulnerable to hacking. Kaspersky researched the DIR-620 router because it is a common router given out by ISPs. Most importantly here is that "The firmware runs on various D-Link routers" so anyone with a D-Link router should consider replacing it. Especially, old D-Link routers, as the company has refused to fix these problems because they deem the router too old to bother with. Kaspersky notes that it is not possible to count the number of vulnerable routers because "most home routers are located behind their ISP’s NAT." Kaspersky found two bugs and two hard coded backdoor accounts, one for Telnet, the other for access to the web admin interface of the router. Interestingly, the backdoor credentials contain the name of the ISP in the login string, so it is impossible to know if the ISP or D-Link is to blame. Owners of the routers can not do anything about the hard coded account for the web interface. They can't see it or delete it. Kaspersky did not discuss local admin access vs. remote access. One of the bugs lets attacker recover Telnet credentials. Another flaw lets attackers execute OS commands via parameters of an admin page's URL. The last is a reflected cross-site scripting bug in the "Quick Search" field of the router's web interface. Most of the routers were deployed by Russian, CIS, and Eastern European ISPs to their customers. The vast majority of these devices are located in Russia.
Talk Talk routers vulnerable to WPS pin code attack - 7 years after it became public
ISP TalkTalk's Wi-Fi passwords Walk Walk thanks to Awks Awks router security hole
by Shaun Nichols of The Register May 22, 2018
Talk Talk is a British ISP and telco. Their "Super Routers" have been confirmed vulnerable to the classic WPS pin code attack, first seen back in 2011. You can't make this stuff up. The flaw was discovered by a company called IndigoFuzz using a Windows program called Dumpper that is available on Sourceforge. You have to be within Wi-Fi range to attack a vulnerable router. Some routers can disable WPS, but neither article mentioned if the Talk Talk routers can do so. Also, neither article mentioned that a router that has been hacked via WPS will remain available to the attacker even if the Wi-Fi password is later changed and even if the Wi-Fi password is very long. WPS is a back door. Note that the WPS pin code attack has nothing to do with the WPS pairing button. WPS supports multiple modes of operation.
Bug in DrayTek routers is being both exploited and fixed
High-end router flinger DrayTek admits to zero day in bunch of Vigor kit
by Kat Hall of The Register May 21, 2018
Quoting: "DrayTek routers are considered high end in the UK - retailing at around 200 pounds, more than twice the price of garden-variety alternatives - and are mostly used by businesses." It seems that buyers are getting their moneys worth. Yes, the routers have a bug, but the report of the flaw came from DrayTek themselves, which is quite rare. They also released an advisory about the problem that was unusually frank and helpful. Many of the known buggy routers have new firmware that fixes the problem, others will shortly have new firmware. The company also lists devices that are not buggy at all. Firmware updates have to be manually done, the routers do not self-update. For obvious reasons, they have not released any technical details of the flaw. Bad guys have been using the flaw to change the DNS servers in the routers, an old tried and true attack. On the home page of this site (in the ongoing defense section) I recommend being aware of your DNS servers. The resources page lists many websites that report on currently used DNS servers. No articles about this mentioned that these sites exist.
Glass half full or half empty for Cisco devices?
Hardcoded Password Found in Cisco Enterprise Software, Again
by Catalin Cimpanu of Bleeping Computer May 17, 2018
Cisco just released 16 security advisories that warned about 13 boring bugs and 3 critical ones. The worst (CVE-2018-0222) is a hard coded backdoor account or, to use words from a PR firm - "undocumented, static user credentials for the default administrative account." The hard coded password gives those in the know root access. The other two critical flaws are both bypasses of the authentication system for Cisco Digital Network Architecture (DNA) Center software. The flaws were uncovered by an internal audit. Back in 2015, after a backdoor account that could decrypt VPN traffic was found in Juniper software, Cisco decided to audit their code. And ... "The company discovered many backdoors and hardcoded accounts in the past two years as part of internal audits..."
Sierra Wireless routers were totally completely hackable
Sierra Wireless Patches Critical Vulns in Range of Wireless Routers
by Tara Seals of Threatpost May 8, 2018
Sierra Wireless just patched two critical vulnerabilities for its wireless gateways that would leave the enterprise devices helpless to an array of remote threats. The most critical flaw allowed a remote attacker with no authentication whatsoever to execute arbitrary code on the routers and gain full control of a vulnerable device. Sierra Wireless has a footprint of more than 3 million AirLink devices. Vulnerabilities affect AirLink Gateways LS300, GX400, GX/ES440, GX/ES450, RV50, RV50X, MP70, MP70E. The article does not say how the company learned of the flaws. Technical details are not available because Sierra Wireless Tech Bulletins are only for their customers, not the general public.
ISP in Brazil ships routers without a password
5,000 Routers With No Telnet Password. Nothing to See Here! Move Along!
by Catalin Cimpanu of Bleeping Computer May 10, 2018
Oi Internet, an ISP in Brazil has shipped their customers Datacom routers (models DM991CR, DM706CR, and DM991CS) with Telnet enabled and no Telnet password. The report comes from Ankit Anubhav, Principal Researcher at NewSky Security. He has detected 5,000 of the vulnerable routers. Worse than a house with the front door unlocked, these routers are a house without a front door at all. This illustrates why I consider a router from an ISP to be the least secure option. You are safer with an off-the-shelf consumer router, but better still, with a business class router.
Dasan GPON optical routers are buggy and tough luck
Critical RCE Vulnerability Found in Over a Million GPON Home Routers
by Sarit Newman of vpnMentor No date
This strikes me as a scam. I suspect its a test of how gullible those covering technology are. For one thing, there is no date on the article. Then too, vpnMentor is not a security company. The author's qualification is that "she loves being organized." Bugs are found by people, the article only refers to "we". There are no links to the CVEs. I searched for each one and found that the two CVE numbers have been assigned to someone who has published nothing and not even identified themselves. Also GPON is a technology not a brand, as far as I can tell. That is, its Wi-Fi, not Linksys. The article did not mention one specific brand of router. All it said was "the routers are provided by ISPs" and it did not even mention one ISP by name. As to the details, vpnMentor claims that CVE-2018-10561 is a bug that lets attackers bypass authentication on the routers. They do not say if the authentication bypass lets only local attackers into the routers or also remote attackers. They also claim that CVE-2018-10562 is a command injection flaw that let them execute commands on the un-identified routers.
Update May 4, 2018: There is now some text describing the two CVE bug reports and it identifies the router manufacturer, Dasan of South Korea. And, it seems these bugs are now being exploited.
Update May 10, 2018: At least 5 botnets are competing to hack these Dasan routers. See the Router News page for more. Also, the routers are old and will not be patched. And, VPNmentor has released their own most un-official patch.
Update May 21, 2018: These same routers appear to have another zero day flaw that bad guys are exploiting. See GPON Routers Attacked With New Zero-Day by Catalin Cimpanu for Bleeping Computer.
How to hack MikroTik routers
by Dayton Pidhirney of Seekintoo April 28, 2018
Most of this article is over my head, but it is clearly a detailed technical guide to hacking MikroTik routers. They appear to be quite hackable. The author is not impressed with the company's coding prowess. Quoting: "... a span of approximately four years elapsed since the vulnerability was introduced until the time it was fixed. Four years should be enough for multiple competent code reviews to catch a blatant integer overflow in a critical function like reading user POST data. The fact this small issue was not discovered and fixed for so long, leads myself and I'm sure others to believe MK doesn't do code reviews or does not complete them often. If you are reading this MK, maybe stop custom writing and maintaining your: Webserver, Samba Server, RADIUS server, SSH server, TELNET server, FTP server, etc. Clearly you can't."
TP-Link does not fix old buggy router
TPLink TLWR740n Router Remote Code
by Tim Carrington of Fidus Information Security April 26, 2018
In October 2017, Fidus reported on TP-Link having a pattern of bad coding that can result in the WR940N router being hacked. TP-Link fixes the WR940N router. Fidus wonders how come no one else had found the flaws as they were easy to find. Worse, TP-Link only fixes the WR940N. Later, Fidus finds the exact same bugging pattern of code in the TLWR740n router. They report the problem to TP-Link on Jan. 25, 2018. On March 29th, TP-Link sent Fidus beta firmware that fixed the problem. But, TP-Link never released the patched firmware. We have seen this pattern before with consumer routers - vendors only fix what the public knows about. The bigger issue here involves other TP-LInk routers. Which of them also have the same buggy code and thus are also vulnerable to the same attack? This is a great reason not to trust TP-Link.
Hard coded root account in ZTE routers
Hyperoptic router at risk of being hacked
by Andrew Laughlin of Which? April 25, 2018
In October 2017, security firm Context Information Security found a flaw in ZTE routers used by British broadband ISP Hyperoptic. The ISP is fully fibre and specializes in super fast Internet. It is estimated that Hyperoptic has about 100,000 customers, mostly businesses. As of April 24, 2018 the flaw has been fixed and rolled out to all Hyperoptic customers. Dan Cater, Lead Security Consultant at Context, found the flaw, a combination of a hardcoded root account and a DNS rebinding vulnerability. As a result, simply clicking on a malicious link allowed bad guys to login to the ZTE routers will full, total control. The buggy devices are the H298N and H298A "HyperHub" routers. The fix includes new individual root passwords for every router. Just last week, the British National Cyber Security Centre (NCSC) warned UK telecoms and broadband operators not to use ZTE equipment for security reasons. None of the articles has any details on the flaw, but I suspect that changing the LAN side IP address of the router is a defense against this. So too changing the LAN side subnet and the port number used for Local Administration of the router.
UPnProxy- the UPnP abuse will never die - no progress in 5 years
UPnProxy: Blackhat Proxies via NAT Injections
by Akamai Early April
UPnP is the router mis-configuration that will not go away. Back in January 2013 it was discovered that millions of routers were exposing UPnP on their WAN side (the Internet) by mistake. This report from Akamai found that 4.8 million routers are still doing so. They also found that bad guys are using this flaw/mis-configuration to treat routers as proxies as a way of hiding themselves online. My summary of this is on the News page.
A H-U-G-E number of Cisco bugs
March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
by Cisco Doc ID: ERP-66682 March 28, 2018
Cisco has released patches for 34 bugs, mostly to IOS and IOS XE. The bugs include three critical remote code execution flaws. To put this in perspective, Peplink has never released fixes for 34 bugs at once. They don't have that many bugs. One reason there were so many patches is that Cisco only releases bug fixes twice a year (March and September). This is a miserable way to maintain software. One critical flaw in IOS XE is an undocumented user account with a default username and password. An attacker could use this account to remotely connect to a vulnerable device. Just disgraceful. Another flaw is a remote code execution bug in the QoS subsystem of IOS and IOS XE. The problem is due to incorrect bounds checking of certain parameters sent to UDP port 18999. The bug that got press attention is in Smart Install. This should have been called Lazy Install. It is software for deploying new IOS and IOS XE switches and routers to a remote site while configure everything from headquarters. Smart Install was meant to make life easy for system administrators. As such, the Smart Install protocol does not require authentication. In Feb. 2017 Cisco warned about how insecure the Smart install Protocol was and suggested using their newer Network Plug and Play feature instead. Devices running the Smart Install client have TCP port 4786 open by default. Adding to the poor design is a bug - a stack-based buffer overflow enables an attacker to remotely execute arbitrary code without authentication. This is as bad as bad gets. Remote unauthenticated attackers can get full control of vulnerable devices. In all the time I have been following Peplink, they have never had one bug as severe as this. Since Smart Install was intended for internal use, at first, it was though this bug could only be exploited internally. But no. Embedi, the company that found the flaw, found 8.5 million devices that have the vulnerable port open on the Internet. Of those, only 250,000 were vulnerable to the flaw. The timeline here is shameful. Embedi discovered the flaw in May 2017. In September 2017 Cisco said they were still working on a fix and now, at the end of March 2018, it is finally released. These bugs were exploited a few days after the fixes were released. See the Routers in the news page for details.
New VPN client router Vilfo has poor security
Vilfo VPN router review
by Daniel Aleksandersen for his CTRL blog March 20, 2018. (NOTE: vendor response is below)
Vilfo is a 5-person company about to launch a new VPN client router. Both the router and the company are offshoots of the Swedish VPN service provider OVPN. The hardware is high end and the software is based on OpenWRT/LEDE. A review by Daniel Aleksandersen found many security flaws in the design and operation. The problems start immediately with the initial setup. Quoting: "... the initial setup process in Vilfo's web administration interface happens over HTTP on an unencrypted WiFi connection that is literally broadcast in the clear to your neighborhood. You are required to input a lot of information in the web administration interface before you get the option to enable encryption on the connection. At the very least, you must provide the following: a unique license key for Vilfo, your email address, your username and password for at least one predefined VPN service provider, your desired username and administrative (root) password for the router, and at the end you also input your desired WiFi name and password. All of this information is transmitted in clear-text and can trivially be collected by nearby devices." Other security flaws:
Unauthenticated remote exploitation of MikroTik routers
MikroTik RouterOS SMB Buffer Overflow
by Core Security March 15, 2018
MikroTik is a Latvian company that provides hardware and software for Internet connectivity in most of the countries around the world. RouterOS is their operating system based on the Linux v3.3.5 kernel. A buffer overflow was found in the RouterOS SMB service (Samba) when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and thus execute code on the system. The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it. The flaw is CVE-2018-7445 and it was discovered by Juan Caillava and Maximiliano Vidal from Core Security Consulting Services. Version 6.41.3 of RouterOS contains a fix.
Seems like the UPnP bugs will never die
Inception Framework: Alive and Well, and Hiding Behind Proxies
by Symantec March 14, 2018
First some background on the bad guys: "The cyber espionage group known as the Inception Framework has significantly developed its operations over the past three years, rolling out stealthy new tools and cleverly leveraging the cloud and the Internet of Things (IoT) in order to make its activities harder to detect ... The nature of Inception’s targets ... along with the capabilities of its tools, indicate that espionage is the primary motive of this group ... Blue Coat was able to determine that the attackers were communicating with CloudMe.com through a hacked network of compromised routers, the majority of which were located in South Korea..." Then how they hide behind a chain of hacked routers: "Inception is continuing to use chains of infected routers to act as proxies and mask communications between the attackers and the cloud service providers they use. Certain router manufacturers have UPnP listening on WAN as a default configuration ... These routers are hijacked by Inception and configured to forward traffic from one port to another host on the internet. Abuse of this service requires no custom malware to be injected on the routers and can be used at scale very easily. Inception strings chains of these routers together to create multiple proxies to hide behind." This is the router bug that will not die. UPnP was never meant to be exposed to the Internet. Yet, back in January 2013, HD Moore, working for Rapid 7, found millions of routers doing just that. According to Symantec, Akamai reports 765,000 devices are currently vulnerable to this attack.
Cisco not immune to security problems
Hardcoded Password Found in Cisco Software
by Catalin Cimpanu of Bleeping Computer March 8, 2018
As much as I advise against using consumer routers, high end devices from Cisco are also not immune to security problems. They just released 22 security advisories, including one that forced them to admit there was a hard coded password in their Prime Collaboration Provisioning software application. I don't know what that software does, but hard coding a password is a huge mistake and inexcusable (unless the US Government forced them to do this). Their other critical security flaw affected the Cisco Secure Access Control System, which was not as secure as it should have been. A Java deserialization issue allowed an unauthenticated, remote attacker to execute arbitrary commands with root privileges. Put another way, that's as bad as bad gets.
Dasan refuses to fix its buggy router
botnet is exploiting a critical router bug that may never be fixed
by Dan Goodin of Ars Technica Feb. 14, 2018
In October 2017 an independent researcher finds a bug in the Dasan Networks GPON ONT WiFi Router H640X . Specifically, the login_action function uses strcpy without checking the length of input from the client request. This creates a buffer overflow that can lead to remote code execution. It is not clear if the bug also exists in other Dasan devices. The researcher enlists SecuriTeam to contact Dasan. That does not go well, Dasan bascially ignores them. SecuriTeam publishes the details of the flaw in early December 2017. In early February 2018, Radware detects a new botnet where almost all the devices are from Dasant. They call it the Satori.Dasan botnet. Shodan reports about 40,000 devices listening on port 8080, with over half located in Vietnam. Satori infections don't survive a device reboot, so that's one defensive measure. If your router can set firewall rules, block 18.104.22.168 which is the C and C server for the botnet.
Netgear has fixed multiple bugs including a doozy
Wish you could log into someone's Netgear box without a password? Summon a &genie=1
by Iain Thomson for The Register February 9, 2018
Good news: Netgear fixed a lots of bugs affecting many of their routers. Bad news: lots of bugs, patching is a manual process that few router owners do and the flaws were found by Trustwave, not by Netgear.
-- The worst bug is vulnerable on the LAN side only, assuming Remote Administration is disabled. Anyone that can access the web-based configuration interface, can gain control of vulnerable routers without a password by simply adding "&genie=1" to the URL. The Security Checklist page has suggested ways to lock down LAN side access to a router (item 3). The flaw was discovered in March 2017 and the patch released in September 2017. 17 router models are affected.
-- Another flaw, in the genie_restoring.cgi script can be abused to extract files and passwords both from the router and from USB flash drived plugged into the router. 17 routers vulnerable here too. The flaw was discovered in March 2017 and the patch issued in August 2017.
-- A bug with WPS, leaves 6 Netgear routers vulnerable to arbitrary code execution as root for two minutes after the WPS button is pressed. This is due to a failure to sanitize hostnames. Simply put, if an attacker can press the WPS button on the router, the router can be completely compromised. This flaw was found in March 2017 and the patch was released in Oct. 2017.
-- The least serious flaw affects 6 routers. After logging in, root level command execution is possible via the device_name parameter on the lan.cgi page. Trustwave also found a three-stage attack leveraging three separate issues that lets any user connected to the router run OS commands as root on the device without providing any credentials.
-- See the October 2017 and November 2017 descriptions below of the bugs that Netgear fixed. Fixing bugs in a somewhat timely manner is good, but at some point you have to lose trust in their code base. And timely is a matter of opinion, these bugs took roughly 6 months to get fixed. Finally, the Netgear bug descriptions (here and here for example) say nothing at all about the nature of the problem. That does not inspire confidence.
Further proof that routers contain old software with known vulnerabilities
Comprehensive Firmware Binary Scan Finds KRACK is "Tip of Iceberg" For Known Wi-Fi Security Vulnerabilities
Press Release from Insignary February 6, 2018
In January 2016, the Wall Street Journal reported on home routers with old software containing known bugs - Rarely Patched Software Bugs in Home Routers Cripple Security. This report, from Insignary, shows that nothing has changed. Insignary does binary-level software composition analysis. In other words, they scan executable code (called firmware when dealing with routers) looking for signatures of open source software, and from those signatures, determine the version/release of the software in the executable code. In November 2017 they scanned the firmware of 32 Wi-Fi routers and found numerous known security vulnerabilities. No zero days here. The routers were from ASUS, Belkin, Buffalo, Cisco, D-Link, EFM, Huawei, Linksys, Netis and TP-Link. Every router had a security vulnerability. A majority of the examined firmware contained components with more than 10 "Severity High" security vulnerabilities. Half of the firmware had "Severity Critical" vulnerabilities. This report is, of course, a plug for their detection software, but that doesn't change the results.
Critical Cisco VPN bug is worse than originally thought, then patched badly
Cisco drops a mega-vulnerability alert for VPN devices
by Sean Gallagher of Ars Technica January 30, 2018
Cedric Halbronn of the NCC Group discovered a critical bug in Cisco network security devices and VPN software. Devices configured with WebVPN clientless VPN software are vulnerable to an attack that could bypass normal security and allow an attacker to gain full control of vulnerable devices. That's bad. WebVPN allows someone to connect to a corporate intranet using just a secure web browser session. It requires no VPN client software or certificate. The attack on the VPN server is done with specially formatted XML messages that "double-free" memory. Executing the command to free a specific memory address more than once can cause memory leakage that allows the attacker to write commands or other data into memory. This can cause the system to execute commands or it could crash the system. Vulnerable devices run the Cisco ASA software with WebVPN enabled. Cisco has issued a patch, but to get it, customers without current maintenance contracts have to contact Cisco's Technical Assistance Center and ask nicely. A few days after news of this bug became public, Cisco said it was worse than initially thought. On their own, they identified additional attack vectors and features that are affected by the bug. Worse still, Cisco found that the original fix was incomplete and they issued a patched patch.
Asus router flaw has been fixed
FortiGuard Labs Discovers Vulnerability in Asus Router
by David Maciejak of Fortinet's FortiGuard Labs January 30, 2018
Bug fixes have been released for the ASUS RT-N18U, RT-AC66U, RT-AC68U, RT-AC86U, RT-AC87U, RT-AC88U, RT-AC1900, RT-AC2900, RT-AC3100, RT-AC3200 and RT-AC5300. The flaw seems fairly minor. An attacker can forge an HTTP request that injects operating system commands that get executed as root. The flaw is due to unsanitized parameters passed to the apply.cgi script. It is mostly a LAN side attack, unless remote administration is enabled via HTTP. Asus fixed this quickly. It was reported to them Dec 23, 2017 and 4 days later they gave FortiGuard a patch to verify. The fix started rolling out Jan. 2, 2018.
Two Asus router flaws have been fixed
Advisory - Asus Unauthenticated LAN Remote Command Execution
by SecuriTeam a division of Beyond Security January 22, 2018
Two vulnerabilities in AsusWRT (the firmware on Asus routers) version 22.214.171.124.380.7743 can lead to remote command execution from the LAN side. Independent security researcher, Pedro Ribeiro discovered the flaws. Asus has released patches as of version 126.96.36.199.384_10007. One flaw is that the handle_request() routine allows an unauthenticated user to perform a POST request for certain actions. An attacker can trigger the vulnerabilities and reset the admin password. This, in turn, lets an attacker login to the web interface, enable SSH, reboot the router and login via SSH. Another flaw is in the same code that was reported buggy in 2015, the infosvr service which listens on LAN side UDP port 9999. The buggy routers are the RT-AC88U, RT-AC3100, RT-AC86U, RT-AC68U and RT-AC66U.
Update March 16, 2018: One of these bugs makes routers that are enabled for Remote Administration via HTTP (as opposed to HTTPS) vulnerable to attack. This may explain the multiple reports of DNS hijacking on Asus routers, described above in March 2018.
Flaws in D-Link routers in Israel
Advisory - D-Link DSL-6850U Multiple Vulnerabilities
by SecuriTeam a division of Beyond Security January 1, 2018
An independent security researcher reported two flaws in the D-Link DSL-6850U versions BZ_1.00.01 - BZ_1.00.09. The router is manufactured by D-Link for Bezeq in Israel. Bezeq was informed of the vulnerability on June 9, and released patches to address the vulnerabilities. One flaw was a default account that could not be disabled. The userid and password were both "support". In addition, remote administration was enabled by default and a flaw allowed for Remote Command Execution.
Security flaw in the GoAhead web server
GoAhead ... and pwn us: Remote hijacking flaw in Internet of Things gear
by Shaun Nichols of The Register December 20, 2017
We have seen this movie before. Web server software included in routers and IoT devices is buggy and easily exploited. Bug fixes are available but many/most vulnerable devices will never get updated. The web server software is GoAhead from a company called Embedthis which says "GoAhead is the world's most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of ... devices and applications. For example: printers, routers, switches, IP phones, mobile applications, data acquisition, military applications and WIFI gateways." Embedthis publicly documented the flaw (see below) on June 12, 2017. The bug was fixed in version 3.6.5 which has been available since then. Security firm Elttam, which found the flaw, blogged about it and provided technical details on Dec. 18, 2017. Counts of Internet accessible devices running the GoAhead server number over 500,000 but they are not all vulnerable. For one thing, the bug is in CGI and Embedthis claims that many of their customers do not use CGI. They claim to have been discouraging its use for more than 10 years. CGI is slower, bigger and less secure than competing services: in-memory scripting and URL-to-C binding. In addition, vulnerable CGI programs have to be dynamically linkable and quite a few devices use statically linked binaries instead.
A bug in Huawei HG532 router
Huawei Home Routers in Botnet Recruitment
by Check Point Research December 21, 2017
A Zero-Day vulnerability in the Huawei HG532 router was discovered by Check Point Researchers, who also saw thousands of attempts to exploit it in the wild. The malware bad guys are installing on vulnerable routers is called OKIRU/SATORI, a variant of Mirai. They saw attacks running over port 37215 exploiting a bug the Universal Plug and Play (UPnP) protocol, via the TR-064 standard. The real news here is that the same bug was reported in 2013 in the Huawei HG523a and HG533 routers. For more, see the Router News page for March 2019.
Netgear WiFi Family website hacked for two years
Vigilante Removes Malware from Netgear Site After Company Fails to Do So for 2 Years
by Catalin Cimpanu of Bleeping Computer December 15, 2017
A few years ago, Netgear created a website, www.wififamilyblog.com, that had articles on the usage of various Netgear technologies. The site was based on WordPress and not secured correctly. As a result, the site has been compromised since February 2015. Scammers abused the site to send spam that directed people to fully functional fake tech support sites that were hosted on the WiFi Family site. After this got publicity, the website was finally taken offline on December 16, 2017.
Still more Good News, Bad News with Netgear
NETGEAR Security Advisories from Netgear
The good news is that Netgear seems to be on the ball, fixing bugs in their router software.
The bad news is that there are sooooooooooo many bugs.
Last month, I summarized the bug reports, this month, they are listed below.
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2156
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2153
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2152
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2150
11/22/2017 Security Advisory for Authentication Bypass on Routers, PSV-2017-2148
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2147
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2146
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2145
11/22/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2144
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2141
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2139
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2138
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2136
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2135
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2134
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0096
11/21/2017 Security Advisory for Authentication Bypass on R6300v2, PLW1000v2, and PLW1010v2, PSV-2016-0069
11/21/2017 Security Advisory for Authentication Bypass on Some Routers and Gateways, PSV-2016-0061
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2154
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2143
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2142
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2140
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers and Extenders, PSV-2017-0706
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0670
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0615
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-0335
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2017-0331
11/21/2017 Security Advisory for Authentication Bypass on Some Routers, PSV-2017-0330
11/21/2017 Security Advisory for Pre-Authentication Buffer Overflow on Some Routers, PSV-2017-0324
11/21/2017 Security Advisory for Stored Cross-Site Scripting on Some Routers, PSV-2017-0323
11/21/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2016-0256
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0253
11/21/2017 Security Advisory for Security Misconfiguration on Some Extenders, PSV-2016-0115
11/21/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2016-0104
11/21/2017 Security Advisory for Cross-Site Request Forgery on Some Routers, PSV-2016-0101
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Routers, PSV-2017-2133
11/21/2017 Security Advisory for Pre-Authentication Stack Overflow on Some Routers, PSV-2017-2517
11/21/2017 Security Advisory for Arbitrary File Read on Some Routers and Extenders, PSV-2017-0319
11/20/2017 Security Advisory for Security Misconfiguration on Routers, PSV-2017-2124
11/20/2017 Security Advisory for Pre-Authentication Buffer Overflow on Routers, PSV-2017-0791
11/20/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0329
11/20/2017 Security Advisory for Cross Site Request Forgery on Routers and Modem Routers, PSV-2017-0333
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2017-2756
11/20/2017 Security Advisory for Security Misconfiguration on Some Routers, PSV-2016-0120
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on Some Routers, PSV-2017-2157
11/17/2017 Security Advisory for Post-Authentication Stack Overflow on R8300 and R8500, PSV-2017-2227
11/16/2017 Security Advisory for Post-Authentication Stack Overflow on R8000, PSV-2017-2229
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2017-2451
11/16/2017 Security Advisory for Security Misconfiguration on Some Routers and Extenders, PSV-2017-2212
11/16/2017 Security Advisory for Pre-Authentication Command Injection on Some Routers and Extenders, PSV-2017-2210
11/16/2017 Security Advisory for Denial of Service on Some Routers, PSV-2017-0648
11/16/2017 Security Advisory for Arbitrary File Read on DST6501 and WNR2000v2, PSV-2017-0425
11/16/2017 Security Advisory for Post-Authentication Command Injection on Routers, PSV-2017-0320
11/15/2017 Security Advisory for Cross Site Request Forgery on Extenders, PSV-2016-0130
11/15/2017 Security Advisory for Arbitrary File Read on Routers and Extenders, PSV-2016-0122
11/15/2017 Security Advisory for Post-Authentication Buffer Overflow on Powerlines and a Router, PSV-2016-0121
11/15/2017 Security Advisory for Stored Cross Site Scripting on Routers, PSV-2016-0100
11/15/2017 Security Advisory for Authentication Bypass on Some Routers and Extenders, PSV-2017-0424
ZyXEL routers being attacked
Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323
by Li Fengpei of Qihoo 360 Netlab November 24, 2017
A new variant of the Mirai botnet has been detected, mostly in Argentina. It attacks ports 23 and 2323 on ZyXEL devices that have a default userid/password. This, gets the bad guys into the devices, then a second vulnerability (CVE-2016-10401), a hard coded superuser password, gives them root privileges. Game over. On ZyXEL PK5001Z devices, zyad5001 is the superuser password. Almost 100,000 infected devices were detected in Argentina, specifically in the network of Telefonica de Argentina. Obviously, they shipped devices with default passwords. Re-booting an infected device should remove any malware.
TP-Link firmware lags in Europe
TP-Link serves outdated or no firmware at all on 30% of its European websites
by Daniel Aleksandersen on his personal blog November 20, 2017
TP-Link has 60 country-specific websites around the world, 24 in Europe. Aleksandersen bought a TP-Link RE650 repeater and noticed that his Norway TP-Link website was two firmware releases behind the neighboring countries of Denmark and Sweden. So, he looked at how each of the 24 European websites ranked in terms of available firmware releases. He investigated nine TP-Link products sold in Europe, and checked the available firmware in each website, a total of 216 data points. Only 6 countries had the latest firmware versions available for all nine products. Put another way, there are problems on 75% of TP-Links European websites. He found the most recent European firmware was as much as a year out of date compared to the US firmware. And, there does not seem to be a good reason for this. The changelogs for the newer American firmware showed updates that were not region specific in any way.
Adding insult to injury is the firmware update process. None of the TP-Link devices self-update. Worse still, the company does not contact their customers to tell them of newly released bug fixes. There are no emailing lists or syndication feeds. Nuttin.
Aleksandersen wonders why TP-Link even has 24 websites. He says there is no need for country specific firmware for Wi-Fi networking equipment within the EEA-single-market. He found that ASUS, Linksys, Netgear, and others have a single global firmware download; or two-three regional variants at the most, all being offered on the same download page.
Finally, he writes "We're a month in to the KRACK Attack vulnerability disclosure, and TP-Link hasn't yet released updates for any of their products ... Stay well away from TP-Link products if you're any bit conscious about the security of your devices." As I say, avoid all consumer routers.
ISP in Ireland has to replace modems. Good for Ireland. Would never happen in US
Eir forced to replace 20,000 modems over security concerns
by Pater Hamilton of Irish Times November 6, 2017
Last year, Eir contacted about 130,000 of its customers as a result of security concerns that the customers routers were vulnerable to infection by a virus that could ultimately lead to them being hacked. At that time, the company said nearly 2,000 customer routers had been breached. Following an investigation by the Data Protection Commissioner, the company had to replace almost 20,000 modems for customers with basic broadband packages without access to fibre services. Additionally, Eir agreed to ... ensure that modem devices provided appropriate security during their lifetime.
A classic case of Good News, Bad News
NETGEAR Security Advisories from Netgear
On Oct 24, 2017 Netgear issued three security advisories for their routers. On Oct. 25th, they issued 8 more security advisories for routers. On Oct. 27th they issued two more router security advisories. The good news is that they are being informed of these bugs and fixing them. In early 2017 Netgear changed how they deal with bug reports from outside the company. The bad news is that their routers are buggy as heck. Does the good outweigh the bad? Matter of opinion.
Key Reinstallation Attacks
by Mathy Vanhoef of imec-DistriNet, KU Leuven October 16, 2017
WPA2 was considered secure for a dozen years. Then, on October 16, 2017 details of the KRACK flaw were released showing that bad guys could break WPA2 encryption. For the most part the bug is with clients rather than routers. That said, its complicated, there are 10 different KRACK related bugs. Two involve routers. One comes into play when a client switches between access points that are part of the same network. The other involves routers acting as clients. For my favorite router, the Pepwave Surf SOHO, this means its WiFi as WAN feature is vulnerable. Network extenders should also be vulnerable. KRACK has nothing to do with Wi-Fi passwords. Many articles said KRACK lets bad guys steal your passwords, that is fear mongering as almost all passwords are encrypted with TLS/HTTPS. And a VPN or TOR can offer yet another level of encryption. Yet another reason not to use an Apple router, they said nothing about this.
Not news: old D-Link routers are buggy
D-Link DIR-600/300 Router Unauthenticated Remote Command Execution Vulnerability
by Check Point October 19, 2017
A remote code execution vulnerability exists in the D-Link DIR-600 and DIR-300 routers. A remote attacker can exploit this weakness to execute arbitrary code in the affected router. The DIR-600 is an old Wi-Fi N router.
TP-Link fixes bug in their WR940N router
Remote Code Execution (CVE-2017-13772) Walkthrough on a TP-Link Router
by Tim Carrington of Fidus Information Security October 17, 2017
TP-Link has fixed a bug in their WR940N home WiFi router. A Shodan search found 7,200 of these devices connected to the Internet. But, the bug was more a pattern than a single instance. User input from a GET parameter is passed directly to a call to strcpy without any validation. An analysis of the firmware found this pattern of code in many locations. To patch these vulnerabilities, TP-Link needed to replace the majority of the calls to strcpy with safer operations, such as strncpy. To their credit, they did so within a week. The bug was found on hardware version 4 but only fixed on hardware version 5. And, the fix is for US firmware only. The initial report to TP-Link was on Aug 11, 2017 and the patched firmware was made available on Sept. 28, 2017.
Netgear updates pretty much everything
Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices
by Tom Spring of Kaspersky ThreatPost October 2, 2017
Netgear issued 50 patches for its routers, switches, NAS devices, and wireless access points to resolve vulnerabilities ranging from remote code execution bugs to authentication bypass flaws. Twenty of the patches address "high" vulnerability issues with the remaining 30 scored as "medium" security risks. One of those vulnerabilities (PSV-2017-1209) is a command injection bug tied to 17 consumer routers.
7 Security Bugs in dnsmasq
Behind the Masq: Yet more DNS, and DHCP, vulnerabilities
by Google Security October 2, 2017
Dnsmasq is open source DNS and DHCP software and is commonly installed on routers, Linux and Android. The most severe of the 7 bugs could be remotely exploited to run malicious code and hijack the device. Three bugs are potential remote code executions, one is an information leak, and the remaining 3 are denial of service flaws. Trend Micro has identified around 1 million devices that are running a vulnerable version of dnsmasq and expose port 53 (DNS) on the public internet.The latest version of Dnsmasq, v2.78 has fixes for all the bugs.
Netgear routers attacked by abusing old bug
RouteX Malware Uses Netgear Routers for Credential Stuffing Attacks
by Catalin Cimpanu of BleepingComputer.com September 13, 2017
Quoting: "A Russian-speaking hacker has been infecting Netgear routers over the past months with a new strain of malware named RouteX that he uses to turn infected devices into SOCKS proxies and carry out credential stuffing attacks. According to Forkbombus Labs ... the hacker is using CVE-2016-10176, a vulnerability disclosed last December to take over Netgear WNR2000 routers." The bug lets the bad guy run the RouteX malware on Netgear routers that have not been patched. The malware defends itself by modifying the firewall of infected routers. This is the reason not to re-use passwords. Credential stuffing is the name given to the process of trying one stolen userid/password at multiple websites/services. To avoid being detected, bad guys spread out their credential stuffing so that it is performed from many different locations, none tied to them. Possibly from your Netgear router. The SOCKS proxy server serves as a middleman that reroutes data between the bad guy and his intended targets. How can you tell if your Netgear router is infected? No one said. It can't hurt to check for new firmware on all Netgear routers. If manual checking is too much, some routers self-update (see my list). Among the cheaper options, a single Google Wifi hockey puck router can be had for about $120. A single AmpliFi square router is about $130. A single eero costs about $200 and the Synology RT1900ac is around $120.
Three more D-Link router flaws
Enlarge your botnet with: top D-Link routers
by security firm Embedi September 12, 2017
Embedi found three flaws in the D-Link DIR890L, DIR885L, DIR895L and, most likely, other DIR8xx routers. Four months after first contacting D-Link, two of the flaws have not been patched. The one that was patched, was only fixed in the DIR890L, other models are still vulnerable. The good news here is that exploitation is LAN side and anyone following my advice on securing local access to a router and assigning IP addresses is protected. BUG1: In the router, phpcgi processes its internal web interface web pages. A malicious request, sent to http:// 192.168.0.1/getcfg.php, can bypass the normal authorization checks and execute a script that returns the userid/password of the router. BUG2: There have been many bugs over the years involving HNAP, this is yet another. A malicious request sent to http:// 192.168.0.1/HNAP1/ can cause a stack overflow that allows for the execution of shell commands with root privileges. BUG3: There is a window of opportunity just after the router starts up, where a device connected to an Ethernet LAN port can upload new firmware onto the router. This begs the question of why firmware is not digitally signed. If it was, the new firmware would be rejected. One way to restart the router (in addition to the other two bugs) is to send an EXEC REBOOT SYSTEM command to port 19541. No password needed. This port is open on the LAN side and there does not seem to be a way to close it. According to Victor Gevers, there are over 98,000 vulnerable D-Link routers (including the 10 flaws in the 850L). The blog posting includes ugly details of Embedi trying to get D-Link to fix things. When combined with the below D-Link router flaws, reported just a few days earlier, I am left thinking that a qualified person could find flaws in any D-Link router.
D-Link 850L router should be disconnected from Internet
Researcher Publishes Details on Unpatched D-Link Router Flaws
by Catalin Cimpanu of Bleeping Computer September 9, 2017
Pierre Kim, who has found many router flaws in the past, published the details of TEN vulnerabilities he discovered in the D-Link DIR 850L router. The 850L is a wireless AC1200 Dual Band Gigabit "Cloud" Router. He also found flaws in the Mydlink Cloud Service, which lets you remotely access and control D-Link devices on your home network. Kim published his findings without notifying D-Link first. Back in February they ignored his previous attempts at reporting other flaws. The flaws can be exploited from both the LAN and WAN side of the router. Bad guys can make the router sing and dance. More specifically, they can intercept traffic, upload malicious firmware and get root privileges. Kim recommends disconnecting any DIR 850L routers.
Some AT&T Arris gateways are brutally vulnerable
by Joseph Hutchins of Nomotion August 31, 2017
Let's be clear: this is a disgrace. Security firm Nomotion claims that AT&T U-verse modems, models NVG589 and NVG599, have brutal security flaws; five all told, that let the devices be fully and totally hacked by bad guys, including uploading new firmware. They claim there are at least 220,000 of these vulnerable devices currently in use. Articles on this refer to the devices as "modems" but that is not correct. They are gateway devices, combining modem and router features. Three of the five flaws are hard coded backdoor accounts. Another is that SSH is enabled by default on the WAN side where anyone can login as root using one of the hard coded userid/passwords. Also on the WAN side, an HTTP request to open port 49152 allows bad guys to bypass the device's firewall and open a TCP proxy connection to the device. This hack requires a predictable three-byte value followed by the MAC address. They found this port open on every single AT&T device they tested. Malpractice, I say. On the LAN side, attackers can authenticate on port 49955 to the web admin interface with the username "tech" and an empty password. The web server in the boxes is also vulnerable to a command injection flaw that lets bad guys run shell commands in the context of the web server. Its not clear if this is LAN or WAN side. Finally, someone who knows the device serial number can use a hard coded userid/password to authenticate to the device on port 61001. Here too, its not clear if the flaw is LAN or WAN side. All told, these devices are a botnet just waiting to happen.
Perhaps the most shocking thing was that Hutchins found a module in the kernel "whose sole purpose seems to be to inject advertisements into the user's unencrypted web traffic." He said the module is not being used but the code is there.
How much of the blame falls on AT&T vs. Arris is not yet clear. Hutchins did note that Arris has a history of "careless lingering of hardcoded accounts on their products."
I may have been wrong about the most shocking aspect. It is that AT&T ignored this. As of two weeks after the disclosure, they have said nothing. Seems they want to keep their customers ignorant of the problems. Arris initially said they are investigating but two weeks later, they have said nothing else.It seems that unless stories like this break out of the nerd news, companies are not sufficiently shamed to do anything. Even Equifax did something.
Netgear reports on 3 bugs in their routers
NETGEAR Security Advisory Newsletter
by Netgear August 2017
The following bugs in Netgear routers comes from the NETGEAR Security Advisory Newsletter. None of the Security Advisories offer details on the flaws. Anyone owning a Netgear router should subscribe to the newsletter, if only because none of these bugs were reported anywhere else, that I can find.
Cisco routers and switches vulnerable
Australian businesses targeted in Cisco switch and router attacks: ACSC
by Stilgherrian of ZDNet August 16, 2017
The Australian Cyber Security Centre (ACSC) warns that Cisco routers and switches with Simple Network Management Protocol (SNMP) enabled and exposed to the internet, are vulnerable to having their configuration files extracted. The config files may contain device administrative credentials which can be used to compromise the device. Also vulnerable are switches using Cisco Smart Install (SMI) that are accessible from the internet. SMI is a feature in Cisco IOS that was intended for LAN side use and thus has no authentication. SNMP is included in my suggested list of stuff to turn off.
Flaw in some Juniper routers goes unpatched for months
Juniper issues security alert tied to routers and switches
by Tom Spring of Kaspersky Threatpost August 10, 2017
There was a bug in the open-source GD graphics image library (libgd) that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The bug existed in T Series and MX series routers along with four switch products. Juniper has issued a software fix. To me, the most interesting aspect is how long it took Juniper to fix the problem which was first made public in April 2016. Many Linux distributions quickly fixed it. The article says "Use of the flawed libgd library has stung a wide range of firms over the past year." Juniper did not publish a Security Advisory about this until July 12, 217.
Netgear Router Analytics means Netgear spies on your router
Netgear Enables User Data Collection Feature on Popular Router Model
by Catalin Cimpanu of Bleeping Computer May 22, 2017
News about this broke in May 2017, I'm late in writing it up. And, although this is not a software bug, it is a flaw nonetheless - one of corporate personality. Simply put, Netgear now spies on some of their routers. This rolled out in April 2017 with firmware 188.8.131.52 for the R7000. Also in April, spying/analytics was added to the Orbi RBK40, RBR40 and RBS40 (Firmware Version 184.108.40.206). In each case "data collection" is on by default, you have to login to the router to disable it. If you have a Netgear router, consider installing DD-WRT on it from the Netgear supported www.myopenrouter.com site.
Two bugs in an old TP-Link router
CVE-2017-9466: Why Is My Router Blinking Morse Code?
by Senrio June 19, 2017
Senrio has discovered two flaws in the TP-Link WR841N Version 8 router. The flaws, which can only be exploited on the LAN side, allowed them to not only gain administrative access to the device but also to run malicious code on it. The flaws were reported to TP-Link in Sept. 2016 and they were initially reluctant to fix an older product that was no longer supported. However, the fix was released in Feb. 2017. There was no update to the firmware for versions 9 and 11 of the router. It is not known if other TP-Link routers suffer from similar flaws. The first flaw was in a configuration service that allows attackers to send it commands without first logging in. The second flaw was a stack overflow issue and this is what let them install and run malicious software on the router.
Multiple WiMAX routers are easily hacked
Ghosts from the past: Authentication bypass and OEM backdoors in WiMAX routers
by Stefan Viehbock of SEC Consult Vulnerability Lab June 7, 2017
WiMAX routers that make use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator userid and password. The vulnerable software is commit2.cgi. It accepts a variable called ADMIN_PASSWD which is the new password. The full list of vulnerable routers is not known. Vendors making vulnerable routers include GreenPacket, Huawei, MADA, ZTE and ZyXEL. In addition, Viehbock believes the routers also contain backdoor accounts. The Huawei devices will not be fixed, the company said they are too old. The firmware was developed by ZyXEL which did not respond to inquiries made by CERT. After this got publicity, they responded to Chris Brook of Kaspersky's Threatpost they are "working on a solution". Time will tell.
7 bugs in web interface of Peplink routers
Multiple Vulnerabilities in peplink balance routers
by Eric Sesterhenn of X41 D-Sec GmbH June 5, 2017
Bugs have been reported in the web interface of Peplink Balance routers models 305, 380, 580, 710, 1350, 2500 running firmware 7.0.0. Initially it was not clear if other Balance routers were also vulnerable. They are. It was also not clear if other Peplink routers, such as the model, I recommend, the Surf SOHO are vulnerable. They are. And, it was not initially clear if the flaws are only in firmware 7.0.0 or if they also exist in the previous 6.3.3 firmware. They exist in both.
As to flaw details: (1) The worst is said to be a SQL injection attack via the bauth cookie parameter. This allows access to the SQLite session database containing user and session variables. (2) With specialized SQL queries, it is possible to retrieve usernames from the database. This doesn't strike me as a big deal because Peplink lets you change the username. So, lots of guessing needed to exploit this. (3) The CGI scripts in the admin interface are not protected against cross site request forgery attacks. This allows an attacker to execute commands, if a logged in user visits a malicious website. (4) Passwords are stored in cleartext (5) If the web interface is accessible, it is possible to abuse the syncid parameter to trigger a cross-site-scripting issue. (6) If the web interface is accessible, it is possible to abuse the the orig_url parameter to trigger a cross-site-scripting issue in preview.cgi. (7) A logged in user can delete arbitrary files (8) If the web interface is accessible, it is possible to retrieve the router serial number without a valid login.
The report said that Peplink released updated firmware, version 7.0.1 to fix these bugs on June 5, 2017. However, on the 6th there was no mention of this firmware on the Peplink download page. In fact, there was no mention of these bugs anywhere on the Peplink site or in their forum. On the other hand, the reported timeline shows that Peplink responded quickly and fixed the bugs quickly. Running the admin interface on a non-standard port would likely have prevented abuse of these flaws. Also, devices in an isolated VLAN can be prevented from even seeing the router admin interface.
Peplink responded on June 7th in a forum posting on their website: 7.0.1 RC4 and 6.3.4 RC Addresses Security Advisory CVE-2017-8835 ~ 8840 This has links to updated firmware for all affected models. The new firmware is currently in Release Candidate status. It is expected to be upgraded to GA (Generally Available) status in a week. There are also a couple suggested work-arounds in case updating the firmware is not an immediate option.
3Gstore, a Peplink retailer that I have used a few times, sent an email to their customers about this which raised an excellent point that no one else had. There is a hidden danger to the fact that bad guys can learn the router serial number - they can register the router with Peplinks remote control service, InControl2 - if the router has not already been registered. So, 3Gstore suggests, that even if you are not using InControl 2, you should create an account and register your Peplink router for the sole purpose of preventing a bad guy from registering it. Routers registered with the InControl 2 service can be remotely controlled.
EnGenius Enshare bug has been patched
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
by Gjoko Krstic of Zero Science Lab June 4, 2017
With the EnGenius IoT Gigabit Routers and their mobile app you can transfer files to/from a USB hard drive attached to the router. Enshare is a USB media storage sharing application that enables local and remote access to files on a USB hard drive. EnGenius EnShare suffers from an unauthenticated command injection vulnerability. An attacker can inject and execute arbitrary code as the root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi' script. EnGenius ignored the initial report of the problem, but they fixed it roughly two weeks after it was publicly disclosed.
Asus router bugs
ASUS Patches RT Router Vulnerabilities
by Michael Mimoso of Kaskpesky Threatpost May 11, 2017
Multiple bugs in an old Cisco VPN router
Cisco drops critical security warning on VPN router, 3 high priority caveats
by Michael Cooney of Network World MAY 3, 2017
The Cisco CVR100W VPN router is old. It only does Wi-Fi N and it does not support Gigabit Ethernet. It has a critical bug in its Universal Plug-and-Play (UPnP) software which fails to do good range checking of UPnP input data. The bug could let an unauthenticated, Layer 2-adjacent attacker execute arbitrary code as root or cause a denial of service. Cisco has released new firmware with a fix. The same router also has vulnerability in the remote management access control list feature that could allow an unauthenticated, remote attacker to bypass the remote management ACL. No fix for this second flaw seems to be available.
Bug in Cisco IOS XR routers
Cisco IOS XR Software Denial of Service Vulnerability
by Cisco May 3, 2017
The Event Management Service daemon of Cisco IOS XR routers improperly handles gRPC requests. This could allow an unauthenticated, remote attacker to crash the router in such a manner that manual intervention is required to recover. The gRPC service is not enabled by default. Cisco has released a bug fix.
Flaw in modems using Intel's Puma 6 chipset
You can blow Intel-powered broadband modems off the 'net with a 'trivial' packet stream
by Shaun Nichols of The Register April 27, 2017
OK, its about modems, not routers. Close enough. A modem using Intel's Puma 6 chipset can be overloaded and virtually knocked offline by a small amount of incoming data. There is no mitigation, but it does require a constant attack. When the attack stops, things return to normal. The bug has to do with exhausting an internal lookup table. Known vulnerable devices are the Arris SB6190 and the Netgear CM700. The Puma 6 chipset is also used in some ISP-branded cable modems, including some Xfinity boxes supplied by Comcast in the US and the latest Virgin Media hubs in the UK such as the Super Hub 3. Earlier articles mentioned a possible modem firmware update. However, even if a fix is issued you are at the mercy of your ISP to install it. Good luck with that.
UPDATE: The performance issues with Intels Puma 6 gigabit broadband modem chipset also affect the Puma 5 and Puma 7 family. See Intel Pumageddon: Broadband chip bug haunts Chipzilla's past, present and future by Shaun Nichols of The Register August 9, 2017.
Ten flaws in 25 Linksys routers
Linksys Smart Wi-Fi Vulnerabilities
by Tao Sauvage of IOActive April 20, 2017
Researchers discovered ten bugs, six of which can be exploited remotely by unauthenticated attackers. The bugs exist in four models of the WRT series and 21 models of the EAxxxx Series. Two of the bugs allow remote unauthenticated attackers to crash the router. Others leak sensitive information such as the WPS pin code, the firmware version, information about devices connected to the router and other configuration settings. The most serious bug requires authentication - it lets attackers execute shell commands with root privileges. In the worst case, this lets a bad guy setup a backdoor account on the router that would not appear in the web interface and could not be removed. If remote administration is enabled, the routers are vulnerable remotely. Either way, the routers are vulnerable from the LAN side. A big problem is that these routers have a default userid/password. Just that fact alone should steer you away from these routers. On the other hand, Linksys has co-operated well with IOActive in both acknowledging the problem and fixing it. Some of the buggy routers can self-update but that feature needs to be enabled.
Travel routers from TP-LINK, StarTech, TripMate and TrendNet vulnerable
Travel Routers, NAS Devices Among Easily Hacked IoT Devices
by Chris Brook of Kaspersky ThreatPost April 10, 2017
Bugs in four travel routers were disclosed by Jan Hoersch of Securai GmbH in Munich. The TP-LINK M5250 will cough up administrator credentials in response to an SMS message. A StarTech router has telnet open with a hard coded password of root that can not be changed. On the Hootoo TripMate travel router an unathenticated user can do a firmware update. The TrendNet TEW714TRU used to let an unauthenticated LAN side user inject arbitrary commands. After the flaw was reported, TrendNet revised the firmware, but the underlying bug remained. Now, however, you have to be an authenticated user to exploit it.
Ubiquiti drags their heels fixing a bug
Unpatched vulnerability puts Ubiquiti networking products at risk
by Lucian Constantin of IDG News Service March 16, 2017
As bugs go, this is chump change; only authenticated users can exploit the flaw. The bug, discovered by SEC Consult, allows authenticated users to inject arbitrary commands into the web interface. The bug has been confirmed in 4 Ubiquiti Networks devices but is believed to exist in another 38. The worst part seems to the way Ubiquiti handled the issue. They acknowledged the flaw at the end of Nov. 2016, then gave SEC Consult a hard time and eventually just went silent. After a while, SEC Consult gave up and went public. Nerds everywhere love Ubiquiti, hopefully they read about this.
Two bugs in GLi routers have been patched
by T Shiomitsu of Pentest partners Mar 13, 2017
Two bugs in old D-Link routers
D-Link DIR-130 and DIR-330 are vulnerable to authentication bypass and do not protect credentials
by Garret Wasserman of US-CERT March 15, 2017
Despite the article title, other D-Link models may be affected by these issues too. One bug allows a remote attacker that can access the remote management login page to manipulate the POST request to access some administrator-only pages without credentials. In addition, the tools_admin.asp page discloses the administrator password in base64 encoding. D-Link has confirmed the flaws, there is no information about if or when a patch will be issued. The devices are old. The DIR-330 is a Wi-Fi G VPN Firewall with Fast Ethernet. The DIR-130 is similar but without Wi-Fi. As usual, disable remote administration if not really needed. If it is needed, restrict the allowed source IP addresses. The bugs were discovered by James Edge.
D-Link again. HNAP again.
D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability
by Joel Land of US-CERT March 8, 2017
As bad as it gets: a remote, unauthenticated attacker can run arbitrary code as root. Yet another reason to disable remote administration. It is disabled by default on the DIR-850L device but, even then, the device can still be attacked from the LAN side. Other D-Link models may also be affected. The vulnerability is in the HNAP service. A bad guy can send a specially crafted POST request to http://routerIPaddress/HNAP1/ that causes a buffer overflow and execute arbitrary code. Beta firmware was released Feb. 17, 2017. The DIR-850L is a dual band Wi-Fi AC router. It is also affected by the November 2016 HNAP flaw in D-Link devices (see below). The bug was reported by Sergi Martinez of NCC Group.
Bugs in two TP-Link routers
Updated Firmware Due for Serious TP-Link Router Vulnerabilities
by Michael Mimoso of Kaspersky Threatpost Feb. 13, 2017
One flaw allows for remote code execution but only after logging in to the router. Another flaw allows a bad guy to crash the TP-Link C2 and C20i routers. There are weak default credentials for the FTP server in the router. The default firewall rules are too permissive on the WAN interface. The final insult is artistic, Pierre Kim, who found the flaws, claims that three of the modules in the router firmware "are overall badly designed programs, executing tons of system() and running as root." TP-Link plans to release a new firmware in February 2017, patching all the vulnerabilities. Perhaps the worst aspect was that when Kim first contacted TP-Link by livechat he was told "there is no process to handle security problems in TP-Link routers" and the company refused to offer a point of contact for security issues. Ouch.
Netgear routers buggy, yet again
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers
By Simon Kenin of Trustwave January 30, 2017
There are two bugs in Netgear routers that leak the administrator userid and password. These are not to be confused with the two sets of bugs in Netgear routers last month. Each of these bugs can be exploited from the LAN side and, if remote administration is enabled, also from the WAN/Internet side of the router. Remote Administration should be disabled by default. Still, there are at least ten thousand vulnerable devices that are remotely accessible.The bugs were first reported to Netgear in April 2016 and, to date, all the affected routers have still not been patched. There is a work-around however, enable password recovery. This is an option in the router that requires a secret question before divulging the router password. With password recovery enabled, all is well. On some routers, you can test if it is vulnerable with
Getting patches issued was a long slog, obviously since it has taken 9 months. The first Netgear advisory listed 18 vulnerable devices. A second advisory listed an additional 25 models. As things stand now, there are 31 vulnerable models, 18 of which are patched. However, Trustwave warns that one of the models listed as not vulnerable (DGN2200v4) is, in fact, vulnerable. Ugh. Netgear now has a new procedure for handling reports about flaws in their software.
To keep this page small, router bugs from earlier years have been omitted by default. To see them, click the buttons below.