WiMAX routers manufactured by several companies, including Huawei and ZyXEL, are vulnerable to an authentication bypass that could let an attacker change the password of the admin user, gain access to the device, or the network behind it.
Stefan Viehböck, a researcher with SEC Consult Vulnerability Lab, a software-testing firm based in Vienna, Austria, discovered the issue last September. It wasnât until Wednesday that Viehböck, along with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University, were able to disclose the vulnerability.
The issue, which garnered a critical base CVSS rating of 10.0, exists in routers distributed to subscribers by WiMAX ISPs.
Usage of WiMAX â a family of wireless communication standards â has declined over the years, especially with operators switching to LTE, but the technology is still used in hundreds of networks worldwide.
According to Viehböck an attacker can set arbitrary configuration values by sending a crafted POST request to the routersâ commit2.cgi uniform resource identifier (URI) without authentication. In a proof of concept also published Wednesday the researcher explains how he could use a HTTP request to set the admin username and password to âadmin,â and therefore, log into the device with admin permissions.
Viehböck warns the following router models are likely affected and should be decommissioned-:
Many of the devices are old; Huawei told Viehböck back in September when he first brought the issue to the companyâs attention that its routers would not receive an update for the issue. Huawei told the researcher it marked them EOS, or end of service, back in 2014.
Viehböck and SEC Consult say itâs unlikely any of the devices will receive updates so theyâre encouraging owners to replace them.
In addition to Huawei, Viehböck was able to determine routers from GreenPacket, MADA, and ZTE were also vulnerable by using a tool to scan a data set containing other products that use WiMAXâs firmware for the commit2.cgi vulnerability.
While scanning, the tool picked up a handful of of hardcoded Unix-style password hashes, something Viehböck believes to be associated with backdoor accounts, potentially introduced by the devicesâ original equipment manufacturer.
Viehböck called the hashes âOEM Backdoors in practiceâ on Wednesday and said at one point he hypothesized that MediaTek, a Taiwanese company that makes the hardware that contains the library (libmtk_httpd_plugin.so) that contains commit2.cgi, was behind them.
âThis makes sense because the affected devices are all based on MediaTek hardware. These SDKs often come with everything that is required to use the hardware and even contain with a working web interface,â Viehböck wrote Wednesday, âVendors can choose to use the whole SDK to build their product or just use some drivers/middleware and build the rest themselves.â
According to Viehböck, when CERT/CC got in touch with MediaTek however it said it wasnât responsible for the SDK code, instead suggesting that ZyXEL, the Taiwanese router manufacturer, added the vulnerable code.
Itâs a complicated timeline that Viehböck explains as follows:
> MediaTek manufactures a SoC for WiMAX products, provides SDK with sample web interface code to vendors.
>
> ZyXEL and their sister company MitraStar develops firmware based on the MediaTek SDK, introduces the âcommit2.cgi vulnerabilityâ and the âOEM backdoorsâ.
>
> ZyXEL sells the products to ISPs.
>
> MitraStar works as an OEM for GreenPacket, Huawei, ZTE⊠who also sell the products to ISPs.
>
> ISPs sell/lease the devices to their subscribers as customer premises equipment (CPE).
ZyXEL did not reply to inquiries made by CERT/CC, nor did it immediately return Threatpostâs request for comment on Wednesday.
ZyXEL told Threatpost on Friday* that it was working on a solution for router models susceptible to CVE-2017-3216.
In the meantime the company is encouraging users of devices to disable WAN device management:
Itâs not the first time that researchers, or attackers for that matter, have managed to undermine the security of equipment made by the telecom.
Attackers exploited flawed implementation in some of the companyâs routers to carry out Mirai-like attacks against Deutsche Telekom customers in Germany in November.
At Kaspersky Labâs Security Analyst Summit in April, Peter Kruse, a researcher with Denmarkâs CSIS Security Group, said a number of home routers made by ZyXEL were shipped with a default username and password, a loophole he saw Romanian cybercriminals leveraging as part of a phishing scheme.
The company told Threatpost in January that vulnerabilities in a number of routers made by the company and distributed by a Thai ISP would not be fixed, as they were no longer supported. The router models, ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, are different models than those named by SEC Consult on Wednesday however.
*This article was updated on June 10 to include a statement from ZyXEL.
blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html
www.zyxel.com/support/announcement_vulnerability_cve_2017_3216.shtml
sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170607-0_Various_WiMAX_CPEs_Authentication_Bypass_v10.txt
threatpost.com/details-around-romanian-phishing-kit-creator-campaign-revealed/124777/
threatpost.com/new-mirai-variant-targets-routers-knocks-900000-offline/122155/
threatpost.com/router-vulnerabilities-disclosed-in-july-remain-unpatched/123115/
www.kb.cert.org/vuls/id/350135