Researchers have found that certain Verizon and TP Link routers have severe vulnerabilities that that could lead to remote command injection in the former and a zero-day attack on the latter.
Tenable Research found three vulnerabilities in Verizon’s Fios Quantum Gateway routers, which are supplied to almost every new Verizon Fios customer, while IBM Security researcher Grzegorz Wypych found a zero-day flaw in the TP Link WR-940.
In both cases the companies were informed and patches were issued, but users must ensure the devices have been updated to be safe.
The Verizon issue centres on the administrator password. This is used for the customer to log in to the router to perform the various tasks that define the network, and is not the password mobile devices use to log into the WiFi network.
Vulnerability CVE-2019-3914 is an authenticated remote command injection scenario that can be triggered, Tenable said, by adding a firewall access rule for the network object. However, attackers need to be authenticated to the device’s administrative web application in order to perform the command injection. This generally means they must have local network access, but there are cases where the attack can be pulled off over the internet.
CVE-2019-3915 can allow login replay. Essentially, HTTPS is not enforced in the web admin interface so an attacker residing on the local network can intercept login requests using a packet sniffer and then replay them, giving the malicious actor admin access. This can then be used to exploit CVE-2019-3914.
The last issue, CVE-2019-3916, is a password salt disclosure. The enabling factor here is the fact that the firmware does not enforce the use of HTTPS, just like the previous vulnerability. In this case. the attacker can sniff the login request, which contains a salted password hash (SHA-512), allowing the attacker to perform an offline dictionary attack to recover the original password.
The zero day found in the TP Link WR-940 is a buffer overflow vulnerability that could allow an authenticated user to take control of the router. Tenable found that the security in place on the router’s interface cannot actually protect the device, and by going through series of steps it was possible to push too much data through the router, causing the issue.
Despite the important role routers play, most are not well protected and thus vulnerable, IBM noted. Part of this is due to how they are manufactured, poor patch maintenance, and because the same routers are issued to millions of customers, making them targets for hackers.
"Most manufacturers outsource firmware that gets developed with costs in mind. It is rarely elaborate and, judging by the amount of router vulnerabilities out there, also rarely tested or secure. Making matters worse is the patch and update process: When was the last time you got a message prompting you to update your router’s firmware?" asked IBM’s report, adding, "likely almost never."
This means even routers that can be make secure aren’t because the user is kept in the dark.
Routers have taken a beating in the last several weeks, with vulnerabilities being found various Cisco and the TP Link TP-SR20 devices.
This article was originally published on SC Media US.