Nine WiFi routers used by millions were vulnerable to 226 flaws

MrGuvernment

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
21,812

More reason to run a pfsense box infront of any of this crap...

Nine WiFi routers used by millions were vulnerable to 226 flaws
https://www.bleepingcomputer.com/ne...sed-by-millions-were-vulnerable-to-226-flaws/

Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware.

The tested routers are made by Asus, AVM, D-Link, Netgear, Edimax, TP-Link, Synology, and Linksys, and are used by millions of people.

The front-runners in terms of the number of vulnerabilities are the TP-Link Archer AX6000, having 32 flaws, and the Synology RT-2600ac, which has 30 security bugs.
Click to expand...
 
It doesn't suprise me at all that the Shenzhen, China based TP-Link has the most vulnerabilities. My question is, how many of them are there on purpose?

I also wonder:
Do these vulnerabilities apply only when the device is used as a router, or are they also vulnerable when simply used as an access point behind a separate firewall (updated pfsense for example).
How many of these vulnerabilities remain when using 3rd party firmware such as DD-WRT? DD-WRT is often updated more frequently than manufacturer firmware, especially on older devices that have been abandoned by the manufacturer.
 
MrGuvernment said:

More reason to run a pfsense box infront of any of this crap...​

Nine WiFi routers used by millions were vulnerable to 226 flaws​

https://www.bleepingcomputer.com/ne...sed-by-millions-were-vulnerable-to-226-flaws/

Click to expand...
I dunno about the "used by millions", exactly. These look to be some of the most expensive models from each brand. Most people don't spend over about $75 on their Wi-Fi router. ROG Rapture GT-AX11000 is $400+

I bought an Asus RT-AX86u on sale for $250, about 3 months ago. and there are likely exponentially less people buying at that price range, than even $100.

That said....its fairly likely that similar vulnerabilities would be in most of their current product stack. As they tend to have similar firmwares for current product lines. However, Asus seems to put out new firmware pretty often, anyway. There have been 3, since I bought the AX86u. And now it sounds like maybe a 4th!
 
and the Synology RT-2600ac, which has 30 security bugs.
Click to expand...

That's gonna hurt some user feelings, they love that UI (love it on my NAS but I prefer ASUS routers for balance of price, quality, and upgrade/update lifecycle - I'm rocking a RT-AX58U)
 
MrGuvernment said:
GotNoRice good question, can these exploits be hit via wifi, or only via WAN interfaces....
Click to expand...
Most of the exploits rely on Remote Access, UPnP, WPS, or UART. So if you have poorly configured the devices then they can be accessed via wifi or physical connections. Most of the issues found can be mitigated by following current best practices for configuration, problem is their wizards don't follow those and most users don't do anything beyond those specific tasks presented to them in the wizards which then leave them all in vulnerable states. The firmware updates will fix the major issues for sure, but the users don't take additional steps to secure their configurations then the bulk of them remain.
 
This is the reason I don't trust ANY consumer routers.

I run pfSense myself, but there would be any number of enterprise solutions I'd be happy with, and absolutely zero consumer routers I'd even consider.
 
Lakados said:
The firmware updates will fix the major issues for sure, but the users don't take additional steps to secure their configurations then the bulk of them remain.
Click to expand...

If the manufacturer even provides them. In many cases, when devices fall out of their support period, or turn into a trash fire, the manufacturer dumps them and pretends the device in question never existed. Linksys has done this for hundreds of their devices, they won't even give you download links to firmware or drivers anymore for tons of their products. But they're not the only one guilty of this, Netgear and D-Link also have a history of it as well.

If you confront them about it, you'll sometimes be given "secret" firmware builds that you're instructed to not share with anyone. Linksys has been notorious for this. So there will be X problem with Y router and Z fix privately released to select people, and not available to anyone else.

Zarathustra[H] said:
This is the reason I don't trust ANY consumer routers.

I run pfSense myself, but there would be any number of enterprise solutions I'd be happy with, and absolutely zero consumer routers I'd even consider.
Click to expand...

Enterprise spec gear isn't immune from vulnerabilities. No matter how little or how much you spend, you're at the whims of the manufacturer and have to trust them not to do things like putting in hardcoded backdoors in the firmware. And since the firmware is of course never open source, there's no way of knowing unless you have the expertise to reverse engineer the firmware image and see what they're doing. This is hard since the firmware images are often compressed and encrypted. Even if you get past those, the file formats are often proprietary and code obfuscated.
 
GiGaBiTe said:
If the manufacturer even provides them. In many cases, when devices fall out of their support period, or turn into a trash fire, the manufacturer dumps them and pretends the device in question never existed. Linksys has done this for hundreds of their devices, they won't even give you download links to firmware or drivers anymore for tons of their products. But they're not the only one guilty of this, Netgear and D-Link also have a history of it as well.

If you confront them about it, you'll sometimes be given "secret" firmware builds that you're instructed to not share with anyone. Linksys has been notorious for this. So there will be X problem with Y router and Z fix privately released to select people, and not available to anyone else.



Enterprise spec gear isn't immune from vulnerabilities. No matter how little or how much you spend, you're at the whims of the manufacturer and have to trust them not to do things like putting in hardcoded backdoors in the firmware. And since the firmware is of course never open source, there's no way of knowing unless you have the expertise to reverse engineer the firmware image and see what they're doing. This is hard since the firmware images are often compressed and encrypted. Even if you get past those, the file formats are often proprietary and code obfuscated.
Click to expand...
The article states that they have all released firmware updates since getting their results.

The vendor responses to CHIP (translated) were the following:

  • Asus: Asus examined every single point of the analysis and presented us with a detailed answer. Asus has patched the outdated BusyBox version, and there are also updates for “curl” and the web server. The pointed out that password problems were temp files that the process removes when it is terminated. They do not pose a risk.
  • D-Link: D-Link thanked us briefly for the information and published a firmware update that fixes the problems mentioned.
  • Edimax: Edimax doesn't seem to have invested too much time in checking the problems, but at the end there was a firmware update that fixed some of the gaps.
  • Linksys: Linksys has taken a position on all issues classified as "high" and "medium". Default passwords will be avoided in the future; there is a firmware update for the remaining problems.
  • Netgear: At Netgear they worked hard and took a close look at all problems. Netgear sees some of the "high" issues as less of a problem. There are updates for DNSmasq and iPerf, other reported problems should be observed first.
  • Synology: Synology is addressing the issues we mentioned with a major update to the Linux kernel. BusyBox and PHP will be updated to new versions and Synology will soon be cleaning up the certificates. Incidentally, not only the routers benefit from this, but also other Synology devices.
  • TP-Link: With updates from BusyBox, CURL and DNSmasq, TP-Link eliminates many problems. There is no new kernel, but they plan more than 50 fixes for the operating system
I love my PaloAlto's regular updates, clear logging, great reporting tools, those boxes have made my life way easier and significantly cut down on issues.
 
What sucks is it takes an article like this to find all these issues for them, showing they do little useful Security QA on their devices sent out to run people's home networks...
 
MrGuvernment said:
What sucks is it takes an article like this to find all these issues for them, showing they do little useful Security QA on their devices sent out to run people's home networks...
Click to expand...
Most of the issues can be resolved by disabling remote access, and changing the admin username and password. Something far too few do sadly, and isn’t enforced by enough providers.
 
Lakados said:
Most of the issues can be resolved by disabling remote access, and changing the admin username and password. Something far too few do sadly, and isn’t enforced by enough providers.
Click to expand...

Yeah, that really should be forced during setup. Remote access should default to off, with warning messages to only enable it if you know what you are doing, and forced setting of unique passwords during the setup process.

It's quite negligent that router manufacturers and ISP's don't do this.
 
Every ISP here has been supplying complex random passwords and pretty secure defaults for years. I don't know if its a legal requirement or they just give a shit?
 
I have the Asus GT-AX11000, Asus did release a firmware update 3 months ago fixing this issue and has since released 2 more updates with additional fixes.

Glad that they did something about it.
 
GotNoRice said:
My question is, how many of them are there on purpose?
Click to expand...
ALL OF THEM, if it comes from over there, then it is built that way from day 1, and anyone who thinks differently is foolin themselves, to their own peril !
 
bonehead123 said:
ALL OF THEM, if it comes from over there, then it is built that way from day 1, and anyone who thinks differently is foolin themselves, to their own peril !
Click to expand...
Oh come on now, those megacorps would never do anything to their loyal customers of such a manner.
Those exploits are included purely out of their benevolence, and certainly not for corporate gain. :borg:
 
You must log in or register to reply here.
Back
Top