A remote code execution vulnerability in D-Link and Trendnet routers “allows remote attackers to execute arbitrary code on vulnerable installations,” according to an alert issued Friday.
The alert noted that attackers don't need authentication to exploit the bug, which is found within the miniigd SOAP service employed by the RealTek software development kit.
“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” the advisory said, suggesting the use of firewall rules and whitelisting. “Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it.”
“Because the hardware can run reliably for years, and security issues rarely interrupt service, and there is rarely, if ever, any sort of automated patching process, vulnerabilities on these devices are extremely long lived,” Tod Beardsley, security engineering manager, Rapid7, noted in a statement emailed to SCMagazine.com. “And, like the Android ecosystem, the DOCSIS modem and SOHO router tends to be very fractured, so no one company takes responsibility for ensuring patch management actually happens.”
Beardsley, who said he was “glad to see that more researchers are paying attention to these consumer routers and cable modems,” explained that despite “open source projects, such as OpenWRT and AdvancedTomato which offer much more frequent updates to the firmware that drives several versions of common, off-the-shelf router/modem hardware, the onus is on the user to ensure that these are up to date.”
A researcher known by the Twitter handle “Headless Zeke” first reported the flaw nearly two years ago to HP's Zero Day Initiative, which in turn reported it to RealTek before disclosing it Friday after RealTek didn't take action.
