A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device.
The flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21, which extends the wireless network throughout the house using HomePlug AV2 technology.
âA compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,â explained researchers at IBM X-Force, in a posting last week.
The first two bugs are a command-injection issue (CVE-2019-16213); and a critical buffer overflow (CVE-2019-19505). They are found in the extender deviceâs web server, under a process named âhttpd.â
The command-injection vulnerability carries a rating of 8.8 out of 10 on the CVSS severity scale. It arises from the fact that under the âPowerlineâ section in the user interface (UI) of the extenderâs web server, the user can see and change the name of the other powerline communication (PLC) devices which are attached to the same powerline network. An authenticated user can inject an arbitrary command just by changing the device name of an attached PLC adapter with a specially crafted string, the researchers noted. Since the web server is running with root privileges, an attacker could leverage this injection to fully compromise the device.
âThe name entered by the user is concatenated as an argument to the âhomeplugctlâ application and being executed by the systemâ library function,â according to IBM X-Force. âThis user input is just URL decoded, without any validation or sanitation.â
The second vulnerability is found in the âWirelessâ section in the web-UI: By adding a device to the Wireless Access Control list with a specially crafted hostname, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. Itâs listed as critical, with a 9.8 severity rating.
âIt is possible to overwrite the return address register $ra and begin controlling program execution,â according to the analysis. âA motivated attacker can utilize this to potentially execute arbitrary code. Note that the overflow isnât a result of an unsafe call to functions like strcpy or memcpy.â
Both bugs are post-authentication â so a user would need to be signed in to exploit the bugs. But thereâs a big caveat to this: The web server itself is password-protected with the default (and very guessable) password âadmin.â
âBoth vulnerabilities in this web-UI allow an authenticated user to compromise the device with root privileges, and while authentication should provide a layer of security, in this case, with a weak and guessable password, it should not be considered adequate protection,â explained the researchers.
Similarly, the web server interface should only be accessible from the local network â however, a wrong setup and configuration can expose it to the internet and therefore remote attackers. And, IBM X-Force found that combining these vulnerabilities with a DNS rebinding technique provides the attacker with a remote vector that doesnât depend on the userâs configuration.
âThat remote attack vector is not far-fetched here, and using a technique called DNS rebinding, we were able to perform the same attack from a remote website, overcoming same-origin limitations by the browser,â said the researchers. âWith this known technique, once the victim is tricked into visiting a malicious website, their entire local network is exposed to the attacker.â
DNS rebinding involves using a malicious JavaScript payload to scan the local network looking for vulnerable powerline extenders. If found, a login could be attempted using a list of popular passwords.
âIn our demo we were able to get a reverse shell on the vulnerable device just by having someone with access to the deviceâs network visit our website,â said the researchers. This is significant as it allows an attacker to gain control over the vulnerable devices remotely just by having the victim visit a website.â
The third vulnerability (CVE-2019-19506), which rates 7.5 out of 10 on the severity scale, resides in a process named âhomeplugd,â which is related to the extender deviceâs powerline functionality. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to cause the device to reboot. By causing a recurring reboot, the device will loop through restarts and not be able to carry out its functions or connect to the internet.
Unlike the other two bugs, an attacker in this case would not need to be authenticated.
âAs we were inspecting the open ports and their corresponding services on the extender, we noticed the homeplugd process listening on UDP port 48912,â according to the analysis. âReversing the binary revealed to us that no authentication was required to interact with this service.â
There are for now no patches for the issues.
âUnfortunately, despite repeated attempts to contact Tenda, IBM is yet to receive any reply to its emails and phone calls,â the researchers said. âIt remains unknown whether the company is working on patches.â
Threatpost has also reached out to the vendor for more information.
To protect themselves, users should change default passwords on all devices that connect to the internet; update firmware regularly; and use use internal filtering controls or a firewall.
âWhile most flaws in popular software are addressed and patched, devices like powerline extenders, and even routers, do not seem to receive the same treatment, and are all too often left exposed to potential attacks,â the researchers concluded. âBut these devices are not just a connectivity plug on the edge of the network. A critical enough vulnerability can be leveraged to reach other parts of the network. That is especially true for routers, but it also extends to other devices that have some sort of interface into the network.â
BEC and enterprise email fraud is surging, but DMARC can help â if itâs done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, âDMARC: 7 Common Business Email Mistakes.â This technical âbest practicesâ session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.
attendee.gotowebinar.com/register/441045308082589963?source=art
attendee.gotowebinar.com/register/441045308082589963?source=art
en.wikipedia.org/wiki/HomePlug
exchange.xforce.ibmcloud.com/vulnerabilities/172226?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861
exchange.xforce.ibmcloud.com/vulnerabilities/172228?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861
exchange.xforce.ibmcloud.com/vulnerabilities/172229?_ga=2.159458491.740009505.1593441219-1535918128.1584710346&cm_mc_uid=31770786977815754792789&cm_mc_sid_50200000=45644951593441218861
securityintelligence.com/posts/vulnerable-powerline-extenders-underline-lax-iot-security/
threatpost.com/cisco-ios-xe-flaw-sd-wan-routers/155319/
threatpost.com/newsletter-sign/