Submitted via IRC for Bytram
125 New Flaws Found in Routers and NAS Devices from Popular Brands
Believe me, there are over 100 ways a hacker can ruin your life just by compromising your wireless router—a device that controls the traffic between your local network and the Internet, threatening the security and privacy of a wide range of wireless devices, from computers and phones to IP Cameras, smart TVs and connected appliances.
In its latest study titled "SOHOpelessly Broken 2.0," Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 small office/home office (SOHO) routers and Network Attached Storage (NAS) devices, likely affecting millions.
"Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries. This research project aimed to uncover and leverage new techniques to circumvent these new security controls in embedded devices," the researchers said.
[...]SOHO routers and NAS devices tested by the researchers are from the following manufacturers:
- Buffalo
- Synology
- TerraMaster
- Zyxel
- Drobo
- ASUS and its subsidiary Asustor
- Seagate
- QNAP
- Lenovo
- Netgear
- Xiaomi
- Zioncom (TOTOLINK)
According to the security researchers, all of these 13 widely-used devices they tested had at least one web application vulnerability that could allow a remote attacker to gain remote shell access or access to the administrative panel of the affected device.
Related Stories
Beginning around June 1, A wave of eCh0raix/QNAPCrypt ransomware attacks has been observed targeting QNAP NAS devices. Vectors employed to compromise the devices are exploiting known vulnerabilities and brute-force attacks on weak passwords.
QNAP already addressed the vulnerabilities issues in the following QTS versions:
- QTS 4.4.2.1270 build 20200410 and later
- QTS 4.4.1.1261 build 20200330 and later
- QTS 4.3.6.1263 build 20200330 and later
- QTS 4.3.4.1282 build 20200408 and later
- QTS 4.3.3.1252 build 20200409 and later
- QTS 4.2.6 build 20200421 and later
--- QNAP Advisory: Multiple Vulnerabilities in File Station. (June 5, 2020)
As would be expected, "QNAP strongly recommends updating your QTS to the latest available version for your NAS model."
The ransomware is attributed to the financially motivated Russian cybercrime group 'FullofDeep', the attackers are demanding $500 in bitcoin to decrypt files, which are encrypted with AES CFB.
(Score: 5, Interesting) by Anonymous Coward on Friday September 27 2019, @06:16AM (1 child)
The bigger news here is Netgear losing its CNA (CVE Numbering Authority) status. Most large vendors get to be their own numbering authority because it reduces their risk of a third-party discovering the flaw (the actual amount is arguable). However, Netgear bungled their handling of these flaws so bad, they cannot assign CVEs for their own products. Every time someone finds a security issue, they will now deal with someone else for verification to increase the accountability of Netgear. I think this, coupled with how they handle other bugs, should really affect your opinion on the quality of their software and systems.
(Score: 5, Insightful) by Anonymous Coward on Friday September 27 2019, @06:26AM
(Score: -1, Offtopic) by Anonymous Coward on Friday September 27 2019, @07:18AM
(Score: 4, Interesting) by Snospar on Friday September 27 2019, @07:54AM (3 children)
I read the article (I know, I know) to see what the issues with the Synology kit were and they list the device in a table with no ticks against any of the vulnerabilities. They're also using an old version of the system software. Not very helpful or useful but I'm sure plenty of Synology owners will click through just like me.
Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
(Score: 3, Interesting) by zocalo on Friday September 27 2019, @09:10AM (2 children)
UNIX? They're not even circumcised! Savages!
(Score: 5, Insightful) by https on Friday September 27 2019, @07:41PM (1 child)
Did you miss the part in the article in which they explicitly said that they had addressed this?
Did you also miss the chart showing that they were not able to get past the protections of the Synology DS218j? Not even so much as a buffer overflow?
Offended and laughing about it.
(Score: 3, Touché) by zocalo on Saturday September 28 2019, @08:52AM
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Friday September 27 2019, @07:56AM
So, Windows Routers? Microsoft never really got used to the idea of there being more than one personal computer.
(Score: 1, Informative) by Anonymous Coward on Friday September 27 2019, @08:16AM (6 children)
TFA:
(Score: 0) by Anonymous Coward on Friday September 27 2019, @09:35AM
https://www.youtube.com/watch?v=D4OtxqTD32Y [youtube.com]
(Score: 2) by HiThere on Friday September 27 2019, @08:19PM (4 children)
I could not find that sentence in the article, or anything closely related to it. So I think you are a blatant liar.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by HiThere on Friday September 27 2019, @08:22PM
P.S.: I've got to admit that I didn't follow into the links that the article listed, so it's possible that you are instead referring to some page linked to by the primary article. If so, you should have listed it. But my guess it you're just a liar.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 1) by chair on Friday September 27 2019, @11:24PM (2 children)
(Score: 2) by HiThere on Saturday September 28 2019, @12:25AM (1 child)
Thank you. I *had* heard about that, but the story is dated July 10, 2019, so this isn't the first time it's shown up here, and is almost certainly not one of the "125 new flaws", unless *that* headline is a gross exaggeration.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by Nerdfest on Saturday September 28 2019, @03:00AM
I'd think drive encryption would be part of a standard payload, with these exploits and others generally bundled with it. Old payload, new exploits.
(Score: 3, Interesting) by choose another one on Friday September 27 2019, @09:27AM (1 child)
Even having read TFA and the source paper, I don't get how these are remote access flaws unless you don't have a separate firewall and you open the device admin/web interface to the internet.
Pretty sure (but may check again) that on my current router the device cannot be managed via the WAN port, period (and allegedly this is so even if you turn the built in firewall off). Only ways to do it are to punch a hole through firewall for VPN, run a VPN server and then VPN in and access router admin from local network, OR have a remote controllable client on local network - neither of which I have bothered to do.
I know some NAS devices have remote access capabilities, but I wouldn't trust those anyway and if they are setup by default I'd call that the flaw - even if the web app is "secure" - but router/firewall devices, set up by default for remote access, really (again, that is the real flaw)?
(Score: 3, Informative) by mmlj4 on Friday September 27 2019, @03:26PM
Simple... compromise something on the LAN, or use XSS on a trojaned site, etc.. 2-stage attacks are quite effective arrows in any luser's quiver.
Need a Linux consultant [joeykelly.net] in New Orleans?
(Score: 3, Interesting) by Anonymous Coward on Friday September 27 2019, @02:13PM (1 child)
I have an ASUS router, so I checked that section of the article. It seems they've figured out a way to bypass address space layout randomization (ASLR) on the router via the web interface, and claim to make use of this plus a buffer overrun to gain remote code execution on the device. They show a Python snippet that achieves the ASLR bypass. All you need to run that? Why, the admin username and password.
I wonder if the others are the same level of overstated bollocks...
(Score: 0) by Anonymous Coward on Friday September 27 2019, @10:40PM
A couple of those exploits require authentication, but they are still considered security vulnerabilities because they are authorization bypasses that allow command execution that the authenticated user isn't normally allowed to do.