According to an advisory by SEC Consult, the flaw which enables devices to have authentication bypassed was discovered last September, but could only be disclosed in the last few days have the. US-CERT put out a note late last week.
The flaw affects hundreds of thousands of routers made by several companies, including Zyxel and Huawei. According to Stefan Viehböck, a researcher with SEC Consult Vulnerability Lab, the vulnerability allows an attacker to change the password of the admin user. A vulnerability located in a file called “commit2.cgi could allow a hacker to set arbitrary configuration values without prior authentication.
“An attacker can gain access to the device, access the network behind it and launch further attacks, add devices into a Mirai-like botnet or just simply spy on user,” he said.
Viehböck said that during auditing operations, he also discovered several Unix-style password hashes hardcoded in the firmware of some routers. The researcher said that both the vulnerability and the backdoor accounts were due to an SDK developed by Taiwanese hardware company MediaTek.
The researcher said that CERT/CC contacted MediaTek regarding the vulnerability. It responded that its SDK code is not vulnerable and stated that it suspects that ZyXEL likely added the vulnerable code.
More investigation led to the conclusion that while MediaTek manufactures a SoC for WiMAX products and provides SDK with sample web interface code to vendors, ZyXEL and its sister company MitraStar develop firmware based on the MediaTek SDK, introducing the "commit2.cgi vulnerability" and the "OEM backdoors".
ZyXEL sells the products to ISPs, while MitraStar works as an OEM for GreenPacket, Huawei, and ZTE, who also sell the products to ISPs. ISPs then sell or lease the devices to their subscribers as customer premises equipment (CPE).
In an advisory, Zyxel warned users of its products to disable WAN device management functions.
Viehböck said that it's unlikely that any of the affected devices will receive updates, “so the only solution is to replace them”.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that affected organisations could potentially be infiltrated by attackers that take remote control over affected routers. “From that point on, the attacker can start moving laterally and probe the company's network for other vulnerable devices, caches of data, or even reroute employees to various malicious websites and services. So, it's not only a matter of having traffic rerouted, but there's also the risk of a serious data breach coordinated from a remote router compromise,” he said.
Javvad Malik, security advocate at AlienVault, told SC Media UK that whenever there is an accessible vulnerability, it is almost certain that hackers will exploit it. Attackers could add this to a DDoS attack, to directly attack the organisation that is using the device, or simply save if for future use.
“Mitigations are usually not as straightforward with IoT devices that have convoluted supply chains whereby the hardware, firmware, and software could all be acquired from different sources. Meaning that patching is usually difficult or non-existent,” he said.
Pascal Geenens, security evangelist for Radware in Europe, said that vulnerabilities and backdoors found in modems/routers are far more worrying than IP camera or DVR vulnerabilities.
“The number of publicly exposed internet connected modems and routers is much larger than the number of other classes of IoT devices based on embedded Linux,” he said.
He added that the risk of this vulnerability is very much comparable to the NewNTPServer field Remote Command Executing vulnerability in the TR-064 CPE WAN Management Protocol. The latter was used by a hacker in a modified version of Mirai to attack DT, TalkTalk and Post Office UK in November last year.
“The impact for DT was 900,000 consumer routers that lost internet connection. The attack is to be considered a failure, as the real objective of the attack was to infect the routers with Mirai and create a gigantic botnet that can be used to perform DDoS attacks,” he said.