Groundhog day for routers
Even if it is hardly surprising anymore, a shocking range of sometimes hair-raising vulnerabilities continues to lie dormant in popular router models. Sitecom WLM-3500 routers, for example, contain two undocumented backdoor accounts that provide attackers with simple ways of obtaining admin privileges and make arbitrary router configuration adjustments. Vulnerable devices are easy to find: The H's associates at heise Security discovered more than 10,000 potentially vulnerable routers straight away, the majority of them in Italy.
The backdoor access credentials were accepted in all of their spot checks. While Sitecom has released a firmware version 1.07 that, the company says, no longer contains the backdoors, routers don't tend to be too fussed about keeping their firmware updated, and it is unlikely that the update will be installed on a significant number of devices in the foreseeable future. The hole was discovered and reported to Sitecom by security expert Roberto Paleari from Emaze Networks.
Paleari also found problems with Netgear's WNR1000. Adding the ".jpg" character string to the address of the configuration file allows unauthenticated attackers to access this file. The file is apparently encrypted but this encryption is somewhat light and can be decoded using a Python script that Paleari has made available.
A team from ISE (Independent Security Evaluators) also made quite a few discoveries: Although the security specialists had originally only planned to examine 10 router models, their research project included 13 vulnerable models in the end. Among these are Belkin's N300, N900 and F5D8236-4 v2 models as well as the Linksys WRT310Nv2, Netgear WNDR4700 and TP-Link WR1043N routers – and D-Link is also affected; this time it's the company's DIR-865L model.
Many of the holes can be exploited via the internet, some of them even without authentication. The holes that were discovered by ISE have been given 17 CVE numbers so far, and a further 21 submissions are currently being investigated. To avoid putting router owners at risk, ISE has not yet released any vulnerability details. The list of CVE numbers contains the usual suspects, including authentication bypass, cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities.
To minimise the risk of successful attacks on their devices, router owners should at least change the factory-set password and ensure that the router's web interface is not accessible through the internet. CSRF attacks become more difficult if owners change their device's internal IP address and make sure that they log out after accessing the web interface. A regular check to see whether a manufacturer has released a firmware update is also advisable – whether vulnerabilities have been found or not.