Small office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices.
In 2018, Talos uncovered and published an article about the VPNFilter malware aimed at SOHO network equipment. This malware had the ability to completely compromise or wipe a targeted device. Since then, numerous reports of sophisticated actors targeting SOHO routers have come to light: Talos recently released a blog post discussing our concern by an increase in state-sponsored campaigns targeting network infrastructure. Microsoft discussed state-sponsored actors using SOHO routers to obfuscate their operations at CyberWarCon 2022. While Lumen recently highlighted that criminal actors are also targeting SOHO routers to support their operations
The Talos Vulnerability Discovery and Research Team – our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware – made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors.
Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.
In this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole.
Research conducted by Lilith Wyatt.
Our researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the "If This, Then That" (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.
TALOS-2022-1586: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device's uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated.
TALOS-2022-1590: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user.
TALOS-2022-1592: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.
The primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.
Research conducted by Dave McDaniel.
The D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services – including hidden diagnostic services – and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.
TALOS-2021-1284: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection.
TALOS-2021-1361: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered.
TALOS-2021-1281: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.
The DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.
Research conducted by Francesco Benvenuto.
Our researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, Talos submitted 23 unique reports to InHand, resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.
/info.jsp
endpoint, which is normally only used by web pages themselves. The endpoint will effectively _eval
_the parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability._factory_
, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.These three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router's configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution.
We wrote an extensive blog post that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.
Research conducted by a researcher within Cisco Talos.
The Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.
machine_name
or wan_domain
, are retrieved from NVRAM and subsequently used directly in a command passed to system()
.Research conducted by Francesco Benvenuto.
The Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, resulting in 63 CVEs. Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight's MilesightVPN, so as to investigate a more complete attack scenario.
The vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight's UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, an attacker can use TALOS-2023-1701 to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.
Research conducted by Dave McDaniel.
The Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.
The Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.
Research conducted by Francesco Benvenuto.
The Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.
TALOS-2022-1577: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device.
TALOS-2022-1576: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call system. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process.
TALOS-2022-1578: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a _sysprintf_
function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.
Most of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.
Research conducted by Carl Hurd.
Talos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.
TALOS-2018-0751: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods.
TALOS-2018-0750: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client's browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user.
TALOS-2018-0748: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.
Most of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user's session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.
Research conducted by Francesco Benvenuto.
The Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted 14 unique reports to Siretta, resulting in 62 CVEs. The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.
_rm -rf <base_folder>/<M2M_data_entry.data> &_
command through the system
_ _function. The M2M_data_entry.data
portion of the command was specified in the UDP packet without any parsing or sanitization on the M2M_data_entry.data
string. This functionality was vulnerable to command injection. Furthermore, the DELETE_FILE
functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.The Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.
Research conducted by Claudio Bozzato.
The Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology's VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.
This research has been detailed in a dedicated blog post, which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology's VPN services, which are publicly accessible.
TALOS-2020-1064: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located.
TALOS-2020-1066: This report describes a vulnerability in iptables' rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN.
TALOS-2020-1065 - This report describes a vulnerability in Qualcomm's _lbd_
, a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.
Synology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they're all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.
Research conducted by Carl Hurd.
The TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.
_set_mf_rule_
functionality, a memcpy
occurs that determines length based on user input directly. Attackers could use this functionality to send a mf_rule
message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.ucloud_add_node
functionality, which is used to add satellites to the router mesh, a MxpManageList
message is parsed directly into the system
function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.The TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer's part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as memcpy
.
Research conducted by Jared Rittle and Carl Hurd.
The TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding blog post.
Most of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.
Research conducted by Marcin Noga.
The ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it's being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our deep dive whitepaper for a more in-depth explanation.
The ZTE MF971R's security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.
The previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn't specific to the vendors we discussed in the router sections, we're grouping the vulnerabilities we found together.
Research conducted by Claudio Bozzato.
OpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It's highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.
wget
, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.Because the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.
Research conducted by Francesco Benvenuto.
The FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that's widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.
Because the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.
Research conducted by Francesco Benvenuto.
Like FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.
After our researchers discovered TALOS-2022-1509, we discovered other software that was vulnerable to the same unescape vulnerable pattern, including TALOS-2022-1511 in Asuswrt and Asuswrt-Merlin New Gen, and TALOS-2022-1510 in DD-WRT.
Research conducted by Dave McDaniel.
Some NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.
Many other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.
SOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments.
Vulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.
The security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:
Each of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.
Simple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).
The next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.
The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.
While the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco's vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.
This blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.
Talos ID (Linked to Report)
|
CVE(s)
|
Product
—|—|—
|
CVE-2022-26376
|
Asuswrt and Asuswrt-Merlin New Gen
|
CVE-2022-38393
|
Asus RT-AX82U
|
CVE-2022-38105
|
Asus RT-AX82U
|
CVE-2022-35401
|
Asus RT-AX82U
|
CVE-2021-21913
|
D-Link DIR3040
|
CVE-2021-21820
|
D-Link DIR3040
|
CVE-2021-21819
|
D-Link DIR3040
|
CVE-2021-21818
|
D-Link DIR3040
|
CVE-2021-21817
|
D-Link DIR3040
|
CVE-2021-21816
|
D-Link DIR3040
|
CVE-2022-27631
|
DD-WRT
|
CVE-2022-38451
|
FreshTomato
|
CVE-2022-42484
|
FreshTomato
|
CVE-2022-28664 - CVE-2022-28665
|
FreshTomato
|
CVE-2022-25932
|
InHand Networks InRouter302
|
CVE-2022-29888
|
InHand Networks InRouter302
|
CVE-2022-28689
|
InHand Networks InRouter302
|
CVE-2022-26023
|
InHand Networks InRouter302
|
CVE-2022-30543
|
InHand Networks InRouter302
|
CVE-2022-29481
|
InHand Networks InRouter302
|
CVE-2022-26518
|
InHand Networks InRouter302
|
CVE-2022-26075
|
InHand Networks InRouter302
|
CVE-2022-26420
|
InHand Networks InRouter302
|
CVE-2022-27172
|
InHand Networks InRouter302
|
CVE-2022-26510
|
InHand Networks InRouter302
|
CVE-2022-26780 - CVE-2022-26782
|
InHand Networks InRouter302
|
CVE-2022-26042
|
InHand Networks InRouter302
|
CVE-2022-25995
|
InHand Networks InRouter302
|
CVE-2022-26002
|
InHand Networks InRouter302
|
CVE-2022-26007
|
InHand Networks InRouter302
|
CVE-2022-26020
|
InHand Networks InRouter302
|
CVE-2022-26085
|
InHand Networks InRouter302
|
CVE-2022-21182
|
InHand Networks InRouter302
|
CVE-2022-24910
|
InHand Networks InRouter302
|
CVE-2022-25172
|
InHand Networks InRouter302
|
CVE-2022-21238
|
InHand Networks InRouter302
|
CVE-2022-21809
|
InHand Networks InRouter302
|
CVE-2019-5017
|
KCodes NetUSB.ko
|
CVE-2019-5016
|
KCodes NetUSB.ko
|
CVE-2018-3953 - CVE-2018-3955
|
Linksys E Series
|
CVE-2023-25582 - CVE-2023-25583
|
Milesight UR32L
|
CVE-2023-24019
|
Milesight UR32L
|
CVE-2023-25081 - CVE-2023-25124
|
Milesight UR32L
|
CVE-2023-24018
|
Milesight UR32L
|
CVE-2023-22653
|
Milesight UR32L
|
CVE-2023-24595
|
Milesight UR32L
|
CVE-2023-22299
|
Milesight UR32L
|
CVE-2023-22365
|
Milesight UR32L
|
CVE-2023-24582 - CVE-2023-24583
|
Milesight UR32L
|
CVE-2023-24519 - CVE-2023-24520
|
Milesight UR32L
|
CVE-2023-23546
|
Milesight UR32L
|
CVE-2023-22659
|
Milesight UR32L
|
CVE-2023-22306
|
Milesight UR32L
|
CVE-2023-23902
|
Milesight UR32L
|
CVE-2023-23571
|
Milesight UR32L
|
CVE-2023-23547
|
Milesight UR32L
|
CVE-2023-23550
|
Milesight UR32L
|
CVE-2023-24496 - CVE-2023-24497
|
MilesightVPN
|
CVE-2023-22371
|
MilesightVPN
|
CVE-2023-23907
|
MilesightVPN
|
CVE-2023-22319
|
MilesightVPN
|
CVE-2023-22844
|
MilesightVPN
|
CVE-2022-38458
|
Netgear Orbi Router RBR750
|
CVE-2022-36429
|
Netgear Orbi Satellite RBS750
|
CVE-2022-37337
|
Netgear Orbi Router RBR750
|
CVE-2022-38452
|
Netgear Orbi Router RBR750
|
​​CVE-2019-5101 - CVE-2019-5102
|
OpenWrt
|
CVE-2022-34845
|
Robustel R1510
|
CVE-2022-33897
|
Robustel R1510
|
CVE-2022-34850
|
Robustel R1510
|
CVE-2022-33150
|
Robustel R1510
|
CVE-2022-32765
|
Robustel R1510
|
CVE-2022-35261-CVE-2022-35271
|
Robustel R1510
|
CVE-2022-33325-CVE-2022-33329
|
Robustel R1510
|
CVE-2022-33312-CVE-2022-33314
|
Robustel R1510
|
CVE-2022-28127
|
Robustel R1510
|
CVE-2022-32585
|
Robustel R1510
|
CVE-2018-4072 - CVE-2018-4073
|
Sierra Wireless Airlink
|
CVE-2018-4070 - CVE-2018-4071
|
Sierra Wireless Airlink
|
CVE-2018-4069
|
Sierra Wireless Airlink
|
CVE-2018-4068
|
Sierra Wireless Airlink
|
CVE-2018-4067
|
Sierra Wireless Airlink
|
CVE-2018-4066
|
Sierra Wireless Airlink
|
CVE-2018-4065
|
Sierra Wireless Airlink
|
CVE-2018-4064
|
Sierra Wireless Airlink
|
CVE-2018-4063
|
Sierra Wireless Airlink
|
CVE-2018-4062
|
Sierra Wireless Airlink
|
CVE-2018-4061
|
Sierra Wireless Airlink
|
CVE-2022-42490-CVE-2022-42493
|
Siretta QUARTZ-GOLD
|
CVE-2022-41991
|
Siretta QUARTZ-GOLD
|
CVE-2022-40222
|
Siretta QUARTZ-GOLD
|
CVE-2022-41154
|
Siretta QUARTZ-GOLD
|
CVE-2022-38066
|
Siretta QUARTZ-GOLD
|
CVE-2022-40985-CVE-2022-41030
|
Siretta QUARTZ-GOLD
|
CVE-2022-40220
|
Siretta QUARTZ-GOLD
|
CVE-2022-39045
|
Siretta QUARTZ-GOLD
|
CVE-2022-38715
|
Siretta QUARTZ-GOLD
|
CVE-2022-38088
|
Siretta QUARTZ-GOLD
|
CVE-2022-38459
|
Siretta QUARTZ-GOLD
|
CVE-2022-40969
|
Siretta QUARTZ-GOLD
|
CVE-2022-40701
|
Siretta QUARTZ-GOLD
|
CVE-2022-36279
|
Siretta QUARTZ-GOLD
|
None (Cloud)
|
Synology QuickConnect
|
None (Cloud)
|
Synology QuickConnect
|
CVE-2020-27659-CVE-2020-27660
|
Synology SRM
|
CVE-2020-27658
|
Synology SRM
|
CVE-2020-27656-CVE-2020-27657
|
Synology SRM
|
CVE-2020-27655
|
Synology SRM
|
CVE-2020-27654, CVE-2020-11117
|
Synology SRM
|
CVE-2020-27652-CVE-2020-27653
|
Synology SRM
|
CVE-2020-27650-CVE-2020-27651
|
Synology SRM
|
CVE-2020-27648-CVE-2020-27649
|
Synology SRM
|
CVE-2019-11823
|
Synology SRM
|
CVE-2022-26346
|
TCL LinkHub Mesh Wifi
|
CVE-2022-27178
|
TCL LinkHub Mesh Wifi
|
CVE-2022-27185
|
TCL LinkHub Mesh Wifi
|
CVE-2022-27630
|
TCL LinkHub Mesh Wifi
|
CVE-2022-27633
|
TCL LinkHub Mesh Wifi
|
CVE-2022-27660
|
TCL LinkHub Mesh Wifi
|
CVE-2022-26342
|
TCL LinkHub Mesh Wifi
|
CVE-2022-26009
|
TCL LinkHub Mesh Wifi
|
CVE-2022-25996
|
TCL LinkHub Mesh Wifi
|
CVE-2022-24005 - CVE-2022-24029
|
TCL LinkHub Mesh Wifi
|
CVE-2022-23103
|
TCL LinkHub Mesh Wifi
|
CVE-2022-22144
|
TCL LinkHub Mesh Wifi
|
CVE-2022-22140
|
TCL LinkHub Mesh Wifi
|
CVE-2022-21178
|
TCL LinkHub Mesh Wifi
|
CVE-2022-21201
|
TCL LinkHub Mesh Wifi
|
CVE-2022-23918 - CVE-2022-23919
|
TCL LinkHub Mesh Wifi
|
CVE-2022-23399
|
TCL LinkHub Mesh Wifi
|
CVE-2018-3951
|
TP-Link TL-R600VPN
|
CVE-2018-3950
|
TP-Link TL-R600VPN
|
CVE-2018-3949
|
TP-Link TL-R600VPN
|
CVE-2018-3948
|
TP-Link TL-R600VPN
|
CVE-2021-21749
|
ZTE MF971R
|
CVE-2021-21748
|
ZTE MF971R
|
CVE-2021-21747
|
ZTE MF971R
|
CVE-2021-21746
|
ZTE MF971R
|
CVE-2021-21745
|
ZTE MF971R
|
CVE-2021-21744
|
ZTE MF971R
|
CVE-2021-21743
|
ZTE MF971R