Over 700,000 ADSL Routers Contain Serious Security Flaws

A directory traversal vulnerability, a way for a hostile actor to take files from places they should not have access to, can be found in hundreds of thousands of DSL modems.  Working independently since 2011 several security researchers have discovered DSL modems (routers) made by several manufacturers are vulnerable to a hostile actor extracting the configuration file from vulnerable devices.  This configuration file setting information as well as administrator and DSL user password hashes.  Once a hostile actor has the hash information it is only a matter of time before they can figure out the password.

This vulnerability is not new but the extent of how many devices vulnerable was just published by the Kyle Lovett.  In scoping the extent of this vulnerability Kyle was able to determine that the hash used to protect the passwords is weak meaning it is easy to crack the passwords protected by the hash.  Kyle also found that many of the routers have a hidden support account with a hard-coded password and that its possible to replace the configuration file and hijack web traffic to and from the device.

Devices that are susceptible to this attack are:

ZTE H108N and H108NV2.1
D-Link 2750E, 2730U and 2730E
Sitecom WLM-3600, WLR-6100 and WLR-4100
FiberHome HG110
Planet ADN-4101
Digisol DG-BG4011N
Observa Telecom BHS_RTA_R1A

There are possibly other models vulnerable. Protocol46 will update as more devices are confirmed.

The common thread of all these devices is the firmware used.  The firmware comes from the Chinese company Shenzhen Gongjin Electronics. This company also does manufacturing work for D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear. It has not been determined if these other devices use any or part of the same firmware and are vulnerable. It is also not clear if Shenzhen Gongjin Electronics is aware of the flaw.

There is a CVSS for this vulnerability that states several of the Belkin made products are vulnerable. The CVSS is http://www.cvedetails.com/cve/CVE-2014-2962/

Protocol46 ran a similar story on February 19th, 2014 about over 500,000 home internet routers having a SSH key vulnerability https://protocol46.com/2015/02/hundreds-of-thousands-of-home-routers-have-ssh-key-vulneribilty/

These two vulnerabilities place over a million devices susceptible to attack or use by hostile actors.  Although these devices are simple they often have enough power to run custom firmware.  What this means is a hostile actor could compromise the system and have a three-fold win.  The hostile actor would be able to hijack the internet traffic traveling through the device, use the device to attack deeper into the user’s network, and use the device to attack other targets.  The ability to do any or all three of these is hypothetical and would require proof of concept testing on vulnerable models to confirm.

Post by Protocol 46