CVE-2022-30329: Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device.

Five vulnerabilities were discovered. Below are links to the associated technical advisories:

• Technical Advisory: Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
• Technical Advisory: Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
• Technical Advisory: OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
• Technical Advisory: CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
• Technical Advisory: Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)

Technical Advisories:

Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)

Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30326
Severity: Medium 5.0

Summary

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the network pre-shared key field on the web interface is vulnerable to XSS.

Impact

An attacker can use a simple XSS payload to crash the main page of the router web interface.

Details

Stored XSS is a vulnerability related to improper validation of user input and output. In stored XSS the web interface accepts input from the user and stores it for later without proper encoding. A web application that is vulnerable to XSS allows an attacker to send a malicious script to the user.

The example below will crash the basic_conf page and create a popup on the 5G home.htm page:

<input type="text" name="pskValue0" id="pskValue0" size="30" maxlength="64" value="<script>alert(1)</script>">

Recommendation

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)

Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30328
Severity: Medium 4.0

Summary

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the router web interface has an insecure username and password setup.

Impact

A malicious user can change the username and password of the interface.

Details

The username and password setup for the router web interface does not require entering the existing password. An attacker can use CSRF to trick the user to send a request to the web interface to change the username and password of the router.

Recommendation

Trendnet indicated that this CVE will not be fixed at this point. Router owners should logout of the device web interface after use.

OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)

Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30329
Severity: Medium 6.3

Summary

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that commands could be injected into the diagnostics field within the web interface.

Impact

An OS injection vulnerability was found within the web interface of the device allowing an attacker with valid credentials to execute arbitrary shell commands.

Details

The web interface has a diagnostics page that uses ping/traceroute. In the host(domain) an attacker can enter an IP with a ; at the end and inject a command to be executed by the device. Using command injection telnetd can be enabled. Telnetd is a remote terminal protocol server.

For example, the following can be entered into the host(domain) to enable telnetd:

192.168.10.02;telnetd &

After running the command, any telnet client can be used to login to the root account from the local area network (LAN):

user: root
Password: the admin password 

Running the ls command will list the files in the current directory:

bin   etc   init  mnt   root  tmp   var
dev   home  lib   proc  sys   usr   web

Recommendation

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)

Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30327
Severity: High 7.6

Summary

Trendnet TEW-831DR WiFi router is a general consumer WiFi router with a web interface for configuration. It was found that the routers browser interface is vulnerable to CSRF.

Impact

The WiFi router interface is vulnerable to CSRF. An attacker can change the pre-shared key to the WiFi router if the interface IP is known.

Details

Cross-Site Request Forgery is an attack that occurs when a user interacts with a malicious web application while logged into a vulnerable web application using the same browser. The malicious web application can send unwanted requests to the vulnerable web application.

If the user is logged into the router web interface an attacker could create a page like the example below and trick a user into clicking it to change the router WiFi pre-shared key or SSID.

e.g.:

<html>
  <!-- CSRF Template -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.10.1/boafrm/formWizard" method="POST">

      <input type="hidden" name="pskValue0" value="password" />
      <input type="hidden" name="pskValue1" value="password" />
      <input type="hidden" name="cliPskValue0" value="password" />
      <input type="hidden" name="cliPskValue1" value="password" />
      <input type="hidden" name="apply" value="Save &amp; Apply" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Recommendation

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)

Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30325
Severity: Medium 4.0

Summary

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the default pre-shared key for the WiFi networks is the same for every router but the last four digits.

Impact

The device default pre-shared key for both 2.4GHz and 5GHz networks can be guessed or brute-forced by an attacker within range of the WiFi network. The weak pre-shared key allows the attacker to gain access to these networks if the pre-shared key has been left unchanged from the factory default.

Details

The device default pre-shared key has the same seven out of eleven digits for every router. An attacker within scanning range of the WiFi network can brute-force the last four digits to gain access to the network.

e.g.:

The first seven default characters of the pre-shared key:
831R100

Recommendation

Trendnet indicated that this CVE will not be fixed at this point. Router owners that are still using the default pre-shared key should update the current wifi key to new one through the web interface.

Disclosure Timeline:

March 15th, 2022: Initial email from NCC to Trendnet.

March 16th, 2022: Trendnet responded to the initial email.

March 18th, 2022: First communication of the bugs to Trendnet. Set the disclosure timeline to 60 days.

May 5th – May 23rd, 2022: Multiple emails exchanged to complete the fixes on the firmware version.

May 23rd, 2022: Trendnet confirmed the fixes were present in the firmware to be released.

June 2nd, 2022 – Trendnet released firmware version:v1.0(601.130.1.1410).

Thanks to

Nicolas Bidron, Jennifer Fernick, and David Goldsmith for their support throughout the research and disclosure process. Additionally, Trendnet for their on going cooperation.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.