If you, our loyal readers, didn’t already see this one pass through on the news cycle earlier this week, you might want to take a look. The firm ISE (Independent Security Evaluators) has engaged in a second major review of routers, NAS, IoT, and related networking devices targeted at the SOHO and entry-level enterprise market, and found a range of active exploits ranging from minor all the way to root shell access. Threatpost has a summary of the research paper the ISE team issued, and suffice to say it includes major products from Asus, Buffalo, Lenovo, Netgear, and others.
Major Brands, Major Issues
Here’s a particularly palpitating piece on one of Netgear’s primo products, purportedly pillaged by pusillanimous perfidy per the ISE paper producers:
The NETGEAR Nighthawk X10 R9000 is a high-end flagship router, supporting a variety of traffic management and administrative features. The primary user interface for this device is a web application, but a SOAP-based mobile application is also available. Within either interface, an administrator may manipulate common network settings, view device logs, manage Quality of Service as well as various other settings.
Initial testing of the administrative mobile application revealed that the “X-Forwarded-For” HTTP header is interpreted by the application. This header is commonly used by load balancers to convey a client’s IP address to downstream services, but it can lead to unexpected issues if used improperly. This device appears to interpret the header’s contents as the client’s real IP address, overriding any previous values. This device also appears to whitelist requests from its own IP address, allowing internal use of the API without managing authentication. When combined, these two functionalities give an attacker the ability to bypass all authentication checks on the SOAP API.
The ISE product appears to be reasonably well-written papurrr that includes methodology descriptions and code snippets of the exploits, so if you’re a network admin, a security researcher, or just a concerned citizen with a laser printer and 50,000 mp3s to keep secure from that aspiring PenTester next door who likes to harass your home network with a WiFi pineapple, it’s worth a look.