Tag Archives: Routers

Very Large Number of Routers/Modems/Internet Gateways Contain Non Unique X509 Certificate and SSH Keys

In the late November the security firm SEC Consult released details within a blog post of their findings after they had conducted scans of many thousands of embedded devices from almost 70 manufacturers. These devices were found to contain X.509 certificates (defined) and SSH (Secure Shell, defined) private keys (from the public/private key pairs namely Asymmetric Encryption (defined)) which were shared among other similar devices from other manufacturers.

Why Should These Issues Be Considered Important?

If an attacker was located within the same network as one of these embedded devices they could perform a man-in-the-middle attack (MITM, defined) allowing them access to any sensitive information e.g. passwords that are being transmitted on the network at that time.

SEC Consult found that approximately 4 million devices are affected by this issue.

A remote attack (i.e. from an attacker not located within your network namely the wider Internet) is far more difficult to conduct and would require the capabilities discussed within the paragraph titled “What is the impact of the vulnerability?” of SEC Consult’s blog post.

For the full list of affected manufacturers of these devices, please see the paragraph titled “Which vendors/products are affected?” of SEC Consult’s blog post and the “Vendor Information” section of this US CERT article. Finally, for affected Cisco devices, a list of affected device models is provided here.

How Can I Protect Myself From These Issues?
For the end users (consumers) who have purchased or have been provided these devices by their ISP’s (Internet Service Providers) there is no action that can be taken to resolve these issues. Since the vulnerable keys are embedded within the firmware of these devices they cannot easily be updated. In some instances however, an update is possible.

If you own a device manufactured by one of the affected vendors (obtained from the lists linked to above) I would follow US CERT’s advice of contacting the vendor to ask if an update for your device will be made available. You can link to SEC Consult’s blog post and US CERT’s advice if the vendor wishes to seek clarification on the issue/vulnerability you are referring to.

For anyone affected by this issue I hope that the above information is of assistance to you. Thank you.

Netgear Releases Router Firmware Update Addressing Security Issues

Early last week Netgear issued a firmware update for some of their consumer broadband routers. This update resolves 2 critical vulnerabilities (1x command injection vulnerability and 1x authentication bypass vulnerability).

Affected Routers (authentication bypass vulnerability):

  • JNR1010v2
  • JNR3000
  • N300
  • R3250
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Affected Routers (command injection vulnerability):

  • JWNR2010v5
  • JWNR2000v5

Why Should These Issues Be Considered Important?
By default the affected routers administrative interface can be accessed by any user on the same internal network as the router. If WAN administration is enabled (a setting that allows anyone outside of your network to access your router) the above mentioned authentication bypass vulnerability is even more serious since a remote attacker could access your router’s admin interface without needing a username or password.

The command injection vulnerability could allow an attacker to issue a command of their choice to your router e.g. performing a file listing.

How Can I Protect Myself From These Issues?
If you own any of the affected routers listed above, please either apply the update (if it is already available for your router). If not, check if an updated firmware is available for your router that corrects this issue. If no corrected version is available it would be advisable to contact Netgear to determine if an update is planned. They may also be able to supply steps to mitigate the issue if no update is planned.

Netgear has issued updated firmware for some of the affected routers:

  • JNR1010v2
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Please follow the instructions within the above linked to Netgear knowledgebase article to install the updated firmware.

Thank you.

Belkin N600 DB Wireless Dual Band N+ Router Contains Unpatched Security Issues

A particular model of consumer/home user broadband router/wireless access point from Belkin has been found to be vulnerable to a set of security issues that can have potentially serious consequences.

The Belkin N600 DB Wireless Dual Band N+ router model F9K1102 v2 with firmware version 2.10.17 and possibly earlier are affected.

There are 5 sets of issues (4 of which have been assigned CVEs, defined):

Use of Insufficiently Random Values – CVE-2015-5987: This issue would allow an attacker to spoof Belkin’s firmware update servers and to connect to any device (server, computer etc.) an attacker chooses.

Cleartext Transmission of Sensitive Information: This issue is somewhat related to the above issue since firmware update requests could be intercepted thus allowing an attacker to substitute a firmware update with an update of their choice or prevent firmware updates from taking place. An attacker would first have to be able to conduct a man in the middle (MITM) attack (MITM, defined) first for these malicious capabilities to become available to them.

Use of Client-Side Authentication – CVE-2015-5989: Due to the means of how the router checks if a legitimate user of the router is logged in, these values can be manually manipulated to allow an attacker to log into the administration interface (a webpage shown to the user to allow them to change the settings of the router) of the router with the same permissions as the legitimate user. The attacker would already need access to your local area network (LAN) (the network within your home) to carry out this method of attack. Carrying out this attack remotely would not be possible.

Cross-Site Request Forgery (CSRF) – CVE-2015-5990: If the owner/user of the router is logged into the administrative interface of the router and clicks on a link (within another browser tab) or accesses a website of the attacker’s choice the attacker will obtain the same permissions as the legitimate user. This is known as a Cross-Site Request Forgery (CSRF) attack (CSRF, defined here and here). If the issue mentioned below is also present (namely no password set by the user to access the admin interface) the attacker would not need for the user to be already logged in to use this attack against the legitimate user.

Credentials Management – CVE-2015-5988: If an attacker already has access to your home network they can access the admin interface of the router if the default configuration of the router has not been changed, namely if no password has been set.

Why Should These Issues Be Considered Important?
If an attacker can obtain full access to your router, they can change any setting they wish e.g. the DNS settings (as discussed in a previous post), disconnect you and other legitimate users from your own internet connection and have the possibility of installing rogue firmware onto your router.

While only one issue (Use of Insufficiently Random Values) can be exploited remotely with the remaining issues requiring access to your network or a man in the middle (MITM) connection these issues should still be considered serious since they have the potential to take control of your router away from you and denying access to your internet connection. The devices you have connected to the router may also visit websites that you didn’t intend (due to the DNS settings being changed as mentioned above).

How Can I Protect Myself From These Issues?
While Belkin has not released a firmware update to resolve these issue and may choose not to do so, I would recommend following the advice provided in this CERT advisory. Essentially not allowing untrusted users to access your home network and having strong passwords for your Wireless LAN key and password for the routers admin interface.

If you are an owner of this router or know someone who is, I hope that the above advice is useful to you in preventing any malicious user from using these issues against you or someone you know.

Thank you.

Several Consumer Broadband Routers Use Static Passwords

Several consumer broadband routers from varying manufacturers have been found to contain static administrative passwords. The names/models of the affected routers (at the time of writing) are shown below:

  • DIGICOM DG-5524T
  • Observa Telecom RTA01N
  • Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293
  • ZTE ZXV10 W300

Please refer to this CERT knowledge base article for the most up to date list of affected models.

Why Should This Issue Be Considered Important?
Using these static credentials a remote attacker could potentially gain access to your broadband router and make any changes they wish to it’s settings/configuration.

How Can I Protect Myself From This Issue?
Unfortunately it does not appear that the manufacturers of these routers intend to provide mitigations or updates to the routers firmware to address their use of static administrative passwords.

In order to prevent an attacker from being able to access your router remotely, please follow the workaround provided in this CERT knowledge base article. This workaround will involve blocking the SNMP ports (161, 162 as well as Secure SNMP ports 10161 and 10162) to prevent the attacker being able to determine the MAC address of your router. This is important since the password for all routers affected by this issue is XXXXairocan where XXXX is the last four characters of the routers MAC address. An SNMP query to your router is used to obtain the appropriate MAC address.

See Aside and Aside 2 for definitions of SNMP and MAC addresses (respectively).

You may need to refer the documentation (if any) for your router in order to determine the exact steps needed to block the above mentioned ports using the routers firewall. A Google search for your router model or a call to your Internet Service Provider (ISP) may also help with this.

If you own one of the affected routers (or you know someone that does) I hope that the above advice is useful in protecting you from this potential threat.

Thank you.
What is SNMP?
Simple Network Management Protocol (SNMP) is a device management protocol. It is used to manage devices such as routers, servers and network printers (among others). If a device develops a fault or requires attention it can notify the network administrator using SNMP e.g. that a printer is low on ink or that a server is under heavy CPU or memory load. Further information on SNMP is available here.


Aside 2:
What is a MAC address?

A media access control (MAC) address is the unique identifier of a network interface card (NIC). This NIC can be wired or wireless. For a common Ethernet network a MAC address is made up of 6 groups of two hexadecimal digits which are separated by hyphens ( – ) or semi colons ( : ). Hexadecimal is a numbering system that has 16 values increasing in value from 0 to 9 and a to f, more information on hexadecimal.

An example MAC address would be 00:0A:11:22:33:44. A MAC is sometimes referred to as the physical address since this address is assigned in the factory to the network card (NIC) of your device (similar to a unique serial number).

The first 6 digits of a MAC address are called the prefix and are associated with the name of the network card manufacturer e.g. Broadcom or Realtek etc. The remaining 6 digits are the unique numbers that are used to identify your specific network card.

You may be wondering why MAC addresses are used when computers have IP addresses already?
The answer is that the OSI networking model is made up of 7 layers. The network access layer 2 uses MAC addresses to tell the difference between one device on the network and another. At layer 2, network bridges, switches and wireless access points operate and do so without the use of IP addresses.

As mentioned above devices are uniquely identified by their MAC address. Layer 2 uses MAC addresses so that it can operate with other network transmission standards other than TCP/IP if required. Layer 3 uses IP addresses (which form the IP of TCP/IP) and at this layer routers use them to forward traffic to the correct devices/destinations.

Network switches (devices that send traffic between devices and routers on the network in order to move network data/traffic to it’s eventual destination) use MAC addresses to tell the difference between the devices connected to their ports and to determine which device to send specific network traffic to.

When a packet (piece of data) is going to be sent on the network, for example your web browser (an application) requests a new webpage. This is done at the top layer of the TCP/IP model (layer 7 the application layer). As the request moves down the network stack in your operating system more and more data is added to it by each layer namely layer 6, layer 5 and so on. Layer 3 and above use IP addresses while layer 2 uses MAC addresses since by this time the layer 3 information is no longer present (it is designed to be removed once used by layer 3 devices).

The MAC address of the networks card(s) installed within your system can be displayed using the following commands:

Linux (from a terminal window) (the MAC address will appear as “HWaddr”):
ifconfig –a
Apple Mac OS X:
Please see this link for the necessary steps.
Press the Windows key and the letter R to open a Run box. Type cmd and press Enter
Type the following command (the MAC address will appear as “Physical address”):

ipconfig /all

Web Browsers Exploited To Attack Unpatched Consumer Routers

A new tool used by cybercriminals has been developed that once a user visits a compromised website, the tool attempts to exploit unpatched security vulnerabilities in the user’s internet router. The tool makes the assumption that the routers firmware is not up to date. A router is a device usually provided by your ISP (Internet Service Provider) allowing you access to the internet, routers usually provide both wired and wireless internet access. A router connects to the internet via your fiber broadband connection or via your traditional telephone line (allowing a slower broadband connection). It should be noted that currently only consumer routers are affected. More details of the affected router models are provided in this blog post from French malware researcher Kafeine.

This exploit tool first uses a cross-site request forgery (CSRF) technique to determine the manufacturer of the router being used. Based on those results the attack then uses an exploit for known issues with that router (e.g. previously patched (fixed) flaws in D-Link, Belkin and TP-Link routers) attempting to access the routers administration page. If that is not successful common passwords are then used trying to gain access. The goal of accessing the administrative interface of your router (a settings page usually accessed using a web browser) is to change the DNS server IP addresses of your router from the addresses assigned by your ISP or from the IP addresses for DNS servers of your choice.

Why Does An Attacker Want To Change My Router’s DNS Settings?
DNS (Domain Name Service) works very much like looking a number up in a phone book. For example, when you type www.google.com into your web browser, your browser will check with your router to find out how to get to that website, it does this by “asking” the router what IP address is associated with www.google.com ? Once the router replies with the IP address, your web browser visits that IP address and displays Google’s homepage.

Your router finds out the IP address of Google by querying the DNS servers, the IP addresses of these servers that it has stored within it. These servers obtain the IP address of Google for your router and provide it to your router. If an attacker can change your routers DNS server settings, your router will then check with the attacker’s DNS servers (rather than your ISPs) for the IP address of Google and will accept any IP address those servers’ responds with.

The router will then pass the address it was given to your web browser which then displays the page for you. Since this IP address has been deliberately chosen by the attacker, the website could be a phishing site (or any other site of the attacker’s choice) which could (to continue the above example) try to steal your Google account credentials or perform other malicious actions. More details on approximately how many users have been impacted by this attack are available in this blog post. Protocols such as DNSSEC were designed to prevent such tampering but unfortunately its use is not yet very widespread.

The name given to this type of attack where your DNS settings are changed without your permission is known as “pharming”.

How I can defend against this attack?
In order to protect against this issue I would recommend a similar approach to the NetUSB flaw that I previously discussed namely monitoring the relevant websites of your routers’ manufacturer for firmware updates that address a CSRF flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates.

In addition, it is recommended to have the most recent firmware for your router already installed (especially if it contains fixes for already known security vulnerabilities). As mentioned above, the attack tries to exploit older known flaws and assumes you haven’t updated your router.

My home router is an Asus router from mid-2013. I already have the most recent firmware from January 2015 installed (which fixed 2 security issues, one was a CSRF flaw). However it’s unclear if Asus still supports my router or will release a fix for this issue. Upon contacting Asus support, they said they couldn’t disclose the answers to either question. Based on this uncertainty it may be time for me to consider a newer model of router from Asus.

In order to avoid the CSRF technique being able to access your router, you can specify that a single IP address is only allowed to access your router’s settings page (unfortunately not all routers have this capability). Thus the routers admin page would only be accessible from that address. Thus to access your router you would first need to change your computers/devices IP address to the address you have chosen and then login to your router, the CSRF attack would not be able to do this. When you are completed accessing your router’s admin page you would change your devices IP address back to its default (commonly used) address (which would block any unauthorized access).

To check that the DNS servers of your router are legitimate and working as expected, Kafeine in her/his blog post mentioned 2 tools used to check your routers DNS settings. I don’t own an Android device to install the Android app but used the web based F-Secure tool, it showed that my DNS servers are still set to my ISPs servers. I had already verified this since I had manually checked the DNS settings of my router, found the 2 IP addresses being used for DNS lookups and entered the addresses into Domaintools Whois lookup. The company names that were displayed matched those of my ISP. However F-Secure’s tool is very easy to use and much quicker than my manual method mentioned above.

Thank you.

KCodes NetUSB Security Flaw Found In Many Routers

Early last week a security vulnerability was disclosed in KCodes NetUSB. This is a Linux module that is provided as part of the operating system that runs within the router. It allows the sharing of USB services across your local network (i.e. to devices that are connected to your router). These devices could be external hard disks (for media sharing), webcams, printers etc.

The flaw within the KCodes module is a buffer overflow that can be exploited by connecting a computer which has a host name longer than 64 characters. Since this module runs in kernel mode (it’s a kernel driver) once the buffer overflow occurs, the attacker can then use this flaw to execute code or a denial of service.

For a list of affected routers, please see this SEC Consult security advisory and this CERT advisory. At the time of writing TP-Link has released updated firmware for some of their routers with further models to receive updates in the future (a timeline is presented in the aforementioned SEC Consult security advisory). In addition, Netgear is working to address this flaw in its affected products and plans to make updates available in July for this purpose.

How I can defend against/mitigate this attack?
While updates are pending, please ensure that your routers administrative interface (usually accessible via a web browser) is protected with a strong password. In addition, on some models of router it may be possible to disable the sharing of USB devices on the network. In the case of Netgear routers’ disabling this sharing feature has no effect. For all other routers that have this feature preventing access to the sharing service by blocking access to TCP port 20005 (from your local internal network using the routers firewall) will mitigate this vulnerability.

Update: 29th May 2015:
D-Link have made available a security advisory for this issue with a timeline for firmware updates that are currently under development. If you own a D-Link router, please check if your model is affected and take the necessary action (if applicable).

Finally I would recommend monitoring the relevant websites of your routers’ manufacturer for firmware updates that address this flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates. Thank you.