Broken security - SOHO routers found to have multiple flaws

News by Rene Millman

Security researchers have found over 100 flaws in small office/home office (SOHO) routers and network-attached storage devices (NAS).

Around 125 vulnerabilities were discovered in router and network storage equipment from Netgear, Zyxel, Buffalo, and Seagate, among others.

The researchers from Independent Security Evaluators (ISE), looked at 13 devices, ranging from routers for consumers to network-attached storage devices (NAS).

All 13 of the devices the researchers tested had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.

"We obtained root shells on 12 of the devices, allowing complete control over the device including six which can be remotely exploited without authentication," said researchers in a report.

The first device researchers looked at was the Buffalo TeraStation TS5600D1206, an enterprise-grade NAS that features a web application where users manage the services running on their device.

"The TeraStation’s web application uses browser cookies as part of their authentication workflow and a JSON-RPC API available at the /nasapi endpoint to interact with the device," said researchers. "Whenever the user issues a request to an API endpoint, the backend verifies that the request contains a cookie that has been associated with a valid user and then verifies the user’s authorisation."

In the ASUS RT-AC3200 SOHO router that runs ASUS’s ASUSWRT firmware, researchers found that it uses a C macro that writes formatted data to a FILE pointer, which in this case is an HTTP connection, using fprintf(). 

"This introduces the possibility for an uncontrolled format string vulnerability. C’s formatted print functions use specifiers such as %s to indicate a string, %d for integers, and so on. An interesting specifier is %x, which can be used to read bytes in hexadecimal format from the stack," said researchers. "We used this format string vulnerability to bypass ASUSWRT’s address space layout randomisation (ASLR)."

The researchers disclosed all of the vulnerabilities they identified to device manufacturers. Most took steps to mitigate the flaws. However, they had no luck with Drobo, Buffalo Americas, or Zioncom Holdings.

"We have yet to receive any new communication from Buffalo Americas Inc, and Zioncom Holdings Ltd. as of the date we published this paper," researchers said. "We were able to get in contact Drobo Inc.; however, we did not receive any other communications after we re-sent them our findings."

Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that  security needs to be top of mind when designing and building these devices and the software that runs on them.  

"Disabling unnecessary services and ensuring secure authentication is in place out of the box are two fundamental things that should always be done, along with preventing or discouraging users from implementing risky configurations," he said.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that if your employees are working from home, the devices the company provides them with, such as laptops and smartphones, will most likely be the most secure. 

"But their home routers can’t be monitored, nor are they supplied by or even known about by the company. This is where a huge vulnerability lies," he said.

"To stay most secure it’s imperative to update all internet-connected devices as soon as patches and updates are released. Default device passwords are notoriously weak (although this is slowly changing) so make sure passwords are in place and are all unique and complex. VPN connections should, of course, be on by default, but many smaller companies I’ve seen don’t always comply with this rule because they do not have the luxury of an IT or cyber-security manager."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews