Headline
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Wednesday, August 2, 2023 08:08
- Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
- During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
- Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
- There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
Small office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices.
In 2018, Talos uncovered and published an article about the VPNFilter malware aimed at SOHO network equipment. This malware had the ability to completely compromise or wipe a targeted device. Since then, numerous reports of sophisticated actors targeting SOHO routers have come to light: Talos recently released a blog post discussing our concern by an increase in state-sponsored campaigns targeting network infrastructure. Microsoft discussed state-sponsored actors using SOHO routers to obfuscate their operations at CyberWarCon 2022. While Lumen recently highlighted that criminal actors are also targeting SOHO routers to support their operations
The Talos Vulnerability Discovery and Research Team — our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware — made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors.
Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.
In this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole.
**Routers******ASUS RT-AX82-U****
Research conducted by Lilith Wyatt.
Background
Our researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the “If This, Then That” (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.
Notable Vulnerabilities
TALOS-2022-1586: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device’s uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated.
TALOS-2022-1590: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user.
TALOS-2022-1592: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.
Observations
The primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.
****D-Link DIR-3040****
Research conducted by Dave McDaniel.
Background
The D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services — including hidden diagnostic services — and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.
Notable Vulnerabilities
TALOS-2021-1284: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection.
TALOS-2021-1361: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered.
TALOS-2021-1281: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.
Observations
The DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.
****InHand Network InRouter 302****
Research conducted by Francesco Benvenuto.
Background
Our researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, Talos submitted 23 unique reports to InHand, resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.
Notable Vulnerabilities
- TALOS-2022-1469: This vulnerability existed in the HTTP server. It exploits the /info.jsp endpoint, which is normally only used by web pages themselves. The endpoint will effectively eval the parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability.
- ******TALOS-2022-1472**:**** This vulnerability existed in the HTTP server. Because of improper access control, a low-privileged user could update the router configuration, enabling them to change to privileged user credentials, resulting in privilege escalation.
- TALOS-2022-1476: The vulnerability existed within the restricted console presented to a user when using SSH or Telnet. This console contained multiple commands, including factory, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.
Observations
These three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router’s configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution.
We wrote an extensive blog post that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.
****Linksys E Series****
Research conducted by a researcher within Cisco Talos.
Background
The Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.
Notable Vulnerability
- TALOS-2018-0625: This disclosure contains three related authenticated command injection vulnerabilities, all accessible via the web-based management portal. Many of the configuration details passed to E Series routers during configuration must be retained across a device’s power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. Three paths exist where one of two parameters, `machine_name` or `wan_domain`, are retrieved from NVRAM and subsequently used directly in a command passed to `system()`.
****Milesight UR32L and MilesightVPN****
Research conducted by Francesco Benvenuto.
Background
The Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, resulting in 63 CVEs. Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight’s MilesightVPN, so as to investigate a more complete attack scenario.
Notable Vulnerabilities
- TALOS-2023-1701: This vulnerability existed in the HTTP server login functionality of the MilesightVPN. This is an SQL injection vulnerability that would allow an attacker to bypass the web login and grant access to the administrative web pages. This in turn allows an attacker to communicate with routers connected to the VPN.
- TALOS-2023-1697: This vulnerability existed in the HTTP server login functionality of the UR32L. This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution. One way to communicate with the HTTP server remotely is by using TALOS-2023-1701.
- TALOS-2023-1706: The UR32L offers different diagnostic functionalities within its HTTP server, like ping and trace. Both of these vulnerabilities have an OS command injection vulnerability through the specified host. An attacker with low-privilege credentials in the UR32L could exploit these vulnerabilities and execute remote commands.
Observations
The vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight’s UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, an attacker can use TALOS-2023-1701 to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.
****Netgear Orbi Router RBR750/RBS750****
Research conducted by Dave McDaniel.
Background
The Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.
Notable Vulnerabilities
- TALOS-2022-1595: This vulnerability is based on the existence of an undocumented service listening on UDP port 23. This service listened for an encrypted packet containing the MAC address, username and password of the br-lan interface of the device. The encryption used was a modified blowfish algorithm similar to those used for the Nintendo DS handheld video game system’s cartridge copyright protection. Once the packet was retrieved, a telnet daemon was spawned which allowed direct access to the underlying busybox system.
- TALOS-2022-1596: This vulnerability existed in the web-based administration of the Orbi. Within the web interface, there was functionality to block specific devices specified by MAC address and device name. The device name field of the associated POST request is vulnerable to command injection due to a lack of user-input sanitization. An attacker could craft a malicious packet to execute arbitrary commands on the device with root privileges.
- TALOS-2022-1592: This vulnerability existed in the Wi-Fi mesh communication service of the device. This service utilized the open-source library, developed by OpenWrt, ubus. More specifically, this vulnerability was due to functionality Netgear built on top of the ubus library. If an attacker had knowledge of the web interface password or the default password, it would be possible to send a ubus message to activate a hidden telnet service. This hidden telnet functionality could then be used by an attacker to obtain direct access to the underlying busybox system.
Observations
The Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.
****Robustel R1510****
Research conducted by Francesco Benvenuto.
Background
The Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.
Notable Vulnerabilities
TALOS-2022-1577: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device.
TALOS-2022-1576: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call system. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process.
TALOS-2022-1578: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a sysprintf function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.
Observations
Most of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.
****Sierra Wireless Airlink****
Research conducted by Carl Hurd.
Background
Talos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.
Notable Vulnerabilities
TALOS-2018-0751: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods.
TALOS-2018-0750: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client’s browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user.
TALOS-2018-0748: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.
Observations
Most of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user’s session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.
****Siretta QUARTZ-GOLD****
Research conducted by Francesco Benvenuto.
Background
The Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted 14 unique reports to Siretta, resulting in 62 CVEs. The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.
Notable Vulnerabilities
- TALOS-2022-1638: This vulnerability existed in the M2M feature of the QUARTZ-GOLD. When the M2M feature was enabled, the m2m binary was executed. This binary offered rich functionality through a custom UDP protocol, including a function called “DELETE_FILE”, which would allow execution of the rm -rf <base_folder>/<M2M_data_entry.data> & command through the system function. The M2M_data_entry.data portion of the command was specified in the UDP packet without any parsing or sanitization on the M2M_data_entry.data string. This functionality was vulnerable to command injection. Furthermore, the DELETE_FILE functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.
- TALOS-2022-1615: This vulnerability existed in the SNMP functionality of the router. The QUARTZ-GOLD implemented a feature that allowed for custom OIDs to be defined within the router. An attacker could submit a custom OID that would be executed whenever that OID was queried. The simplest solution was to execute commands directly as the root user in the Linux shell. An adversary could leverage this vulnerability to achieve arbitrary command injection.
- TALOS-2022-1610: Talos discovered this vulnerability within the web server functionality of the QUARTZ-GOLD. By basing the firmware of this device off of the FreshTomato firmware, many default features were inherited from the FreshTomato firmware that was not documented as part of the device functionality. More specifically, debug functionality was not disabled in FreshTomato and allowed a user authenticated to the web interface to issue direct Linux commands as if they had a shell. An authenticated attacker could use this vulnerability to achieve arbitrary command injection.
Observations
The Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.
****Synology SRM - RT2600ac****
Research conducted by Claudio Bozzato.
Background
The Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology’s VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.
This research has been detailed in a dedicated blog post, which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology’s VPN services, which are publicly accessible.
Notable Vulnerabilities
TALOS-2020-1064: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located.
TALOS-2020-1066: This report describes a vulnerability in iptables’ rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN.
TALOS-2020-1065 - This report describes a vulnerability in Qualcomm’s lbd, a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.
Observations
Synology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they’re all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.
****TCL Linkhub Mesh Wifi****
Research conducted by Carl Hurd.
Background
The TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.
Notable Vulnerabilities
- TALOS-2022-1463: This vulnerability existed in the code for getting and setting values in a flash of the LinkHub. This vulnerability is interesting because it was not contained in a specific library and was used in almost every binary on the device. While getting values from a flash, the function did not take into account the length of the destination buffer. An attacker could easily change a configuration value to a large value, and the next time that variable was loaded from flash, it would cause a buffer overflow. This vulnerability would lead to arbitrary code execution.
- TALOS-2022-1455: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it is dispatched to various handlers across the device. Within the set_mf_rule functionality, a memcpy occurs that determines length based on user input directly. Attackers could use this functionality to send a mf_rule message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.
- TALOS-2022-1458: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it’s dispatched to various handlers across the device. Within the ucloud_add_node functionality, which is used to add satellites to the router mesh, a MxpManageList message is parsed directly into the system function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.
Observations
The TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer’s part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as memcpy.
****TP-Link TL-R600VPN****
Research conducted by Jared Rittle and Carl Hurd.
Background
The TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding blog post.
Notable Vulnerabilities
- TALOS-2018-0620: This vulnerability existed in the header parsing of HTTP requests within the web server. This vulnerability was triggered by sending a request to a specific subset of pages on the web server. Once the request was made, a statically sized buffer is used for the parsed headers. An attacker could use an abnormally long header entry to overflow the buffer and overwrite the return address. This vulnerability leads to arbitrary code execution.
- TALOS-2018-0619: This vulnerability existed in the network debugging functionality of the device. The ping functionality of the R600-VPN contained a parameter that was unchecked by user input. An attacker could supply an abnormally long ping_addr parameter to overflow the statically sized buffer used to hold the value, in turn overwriting the return address. This vulnerability leads to arbitrary code execution.
- TALOS-2018-0618 - This vulnerability was contained within the HTTP server within the R600-VPN. The user-provided URL was parsed without regard for special characters such as “…/” to navigate up a directory tree. Normally, special characters like this are removed or ignored in a URL and the directory navigation does not occur, but in the R600-VPN this navigation could be used to retrieve any files on the device. This vulnerability leads to sensitive information disclosure.
Observations
Most of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.
****ZTE MF971R****
Research conducted by Marcin Noga.
Background
The ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it’s being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our deep dive whitepaper for a more in-depth explanation.
Notable Vulnerabilities
- ******TALOS-2021-1317:****** This vulnerability is related to the implementation of CSRF protection/API restriction communication in Web APIs. To communicate with a certain set of Web APIs, a request should be sent from a 127.0.0.1 address or default router IP address — 192.168.0.1. It’s verified by checking the HTTP Referer value. Unfortunately, the way the check was implemented gives an attacker the possibility to bypass it by simply adding string 127.0.0.1 in any part of a referrer URL and obtaining full access to API communication.
- ******TALOS-2021-1320:****** Talos discovered this vulnerability within the implementation of the ADB_MODE_SWITCH Web API. A password parameter being a part of this API is not properly sanitized in the context of its length which leads to a stack-based buffer overflow. The victim does not need to be logged in to be affected by this vulnerability. The only constraint an attacker needs to pass is a referrer check, which is easy to bypass and has been described in TALOS-2021-1317. This remote pre-auth stack-based buffer overflow gives an attacker full control when overwriting the return address and as we demonstrated can be turned into one-click remote code execution.
Observations
The ZTE MF971R’s security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.
Common frameworks
The previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn’t specific to the vendors we discussed in the router sections, we’re grouping the vulnerabilities we found together.
****OpenWrt****
Research conducted by Claudio Bozzato.
Background
OpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It’s highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.
Notable Vulnerabilities
- TALOS-2019-0893: This vulnerability affected the ustream-ssl library, a library that works as an SSL wrapper for OpenSSL, mbed TLS and wolfSSL. This issue describes how the library does not terminate the SSL connection immediately when a wrong certificate is supplied by an HTTPS server, allowing the client to send one request using any unverified certificate, before terminating the connection. As OpenWrt uses this library for tools like wget, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.
Observations
Because the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.
****FreshTomato****
Research conducted by Francesco Benvenuto.
Background
The FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that’s widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.
Notable Vulnerabilities
- TALOS-2022-1642: This vulnerability existed in one of the functionalities provided by FreshTomato’s HTTP server. It provides a simple template language, one of the templating functions to read the content of a file, provided by the user in a specific folder. Because no sanitization is performed and the file path is composed by concatenating the hard-coded path with the provided filename, this function is vulnerable to path traversal. An attacker with valid credentials could read any file in the file system.
- TALOS-2022-1641: This vulnerability existed in one of the log-related functions provided by FreshTomato’s HTTP server. The functionality allows users to find certain strings in the log file via OS commands. Because no real sanitization is performed against the user-controlled parameter, this function is vulnerable to an OS command injection vulnerability. An attacker could leverage this vulnerability to achieve arbitrary command injection.
- TALOS-2022-1509: This vulnerability existed in the URL unescape functionality provided by FreshTomato’s HTTP server. The unescape always assumes that there are two characters following the ‘%’ character. However, this is not the case and opens the door to an out-of-bounds read-and-write.
Observations
Because the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.
****Asuswrt and Asuswrt-Merlin New Gen, DD-WRT****
Research conducted by Francesco Benvenuto.
Background
Like FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.
Notable Vulnerabilities
- TALOS-2022-1511: This vulnerability existed in the URL unescape functionality provided by the Asuswrt and Asuswrt-Merlin New Gen vulnerability’s HTTP server. The unescape always assumes that there are two characters following the “%” character. However, this is not the case and could lead to an out-of-bounds read and write.
- TALOS-2022-1510: This vulnerability is in the URL unescape functionality provided by the DD-WRT’s HTTP server. The unescape always assumes that there are two characters following the “%” character, however, this assumption is incorrect and could lead to an out-of-bounds read and write.
Observations
After our researchers discovered TALOS-2022-1509, we discovered other software that was vulnerable to the same unescape vulnerable pattern, including TALOS-2022-1511 in Asuswrt and Asuswrt-Merlin New Gen, and TALOS-2022-1510 in DD-WRT.
****KCodes NetUSB.ko****
Research conducted by Dave McDaniel.
Background
Some NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.
Notable Vulnerabilities
- TALOS-2019-0775: Once the static AES key was recovered, an attacker could easily trigger a DoS or remote information disclosure using a single opcode after the handshake.
- TALOS-2019-0776: Similar to TALOS-2019-0775, this vulnerability leaks memory. In this case, it leaks very useful memory such as stack boundary addresses, a pointer to a specific configuration function and notably or the base address of the running kernel module NetUSB.ko. This could potentially be combined with other remote attacks that could leverage this data when designing a specific payload for the target.
Observations
Many other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.
Key observations
SOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments.
Vulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.
The security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:
- Features and services should be disabled by default unless they are critical for the operation of the device.
- WAN-side management should be deactivated by default.
- Support modern security features such as TLS/SSL encryption and make sure they’re implemented properly.
- Never trust user input.
- Keep third-party code up-to-date.
- Audit or familiarize yourself with integrated code.
- Don’t rely on obscure and undocumented diagnostic features or credentials.
Each of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.
Simple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).
The next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.
The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.
While the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco’s vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.
Vulnerability List
This blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.
Talos ID (Linked to Report)
CVE(s)
Product
TALOS-2022-1511
CVE-2022-26376
Asuswrt and Asuswrt-Merlin New Gen
TALOS-2022-1592
CVE-2022-38393
Asus RT-AX82U
TALOS-2022-1590
CVE-2022-38105
Asus RT-AX82U
TALOS-2022-1586
CVE-2022-35401
Asus RT-AX82U
TALOS-2021-1361
CVE-2021-21913
D-Link DIR3040
TALOS-2021-1285
CVE-2021-21820
D-Link DIR3040
TALOS-2021-1284
CVE-2021-21819
D-Link DIR3040
TALOS-2021-1283
CVE-2021-21818
D-Link DIR3040
TALOS-2021-1282
CVE-2021-21817
D-Link DIR3040
TALOS-2021-1281
CVE-2021-21816
D-Link DIR3040
TALOS-2022-1510
CVE-2022-27631
DD-WRT
TALOS-2022-1642
CVE-2022-38451
FreshTomato
TALOS-2022-1641
CVE-2022-42484
FreshTomato
TALOS-2022-1509
CVE-2022-28664 - CVE-2022-28665
FreshTomato
TALOS-2022-1523
CVE-2022-25932
InHand Networks InRouter302
TALOS-2022-1522
CVE-2022-29888
InHand Networks InRouter302
TALOS-2022-1521
CVE-2022-28689
InHand Networks InRouter302
TALOS-2022-1520
CVE-2022-26023
InHand Networks InRouter302
TALOS-2022-1519
CVE-2022-30543
InHand Networks InRouter302
TALOS-2022-1518
CVE-2022-29481
InHand Networks InRouter302
TALOS-2022-1501
CVE-2022-26518
InHand Networks InRouter302
TALOS-2022-1500
CVE-2022-26075
InHand Networks InRouter302
TALOS-2022-1499
CVE-2022-26420
InHand Networks InRouter302
TALOS-2022-1496
CVE-2022-27172
InHand Networks InRouter302
TALOS-2022-1495
CVE-2022-26510
InHand Networks InRouter302
TALOS-2022-1481
CVE-2022-26780 - CVE-2022-26782
InHand Networks InRouter302
TALOS-2022-1478
CVE-2022-26042
InHand Networks InRouter302
TALOS-2022-1477
CVE-2022-25995
InHand Networks InRouter302
TALOS-2022-1476
CVE-2022-26002
InHand Networks InRouter302
TALOS-2022-1475
CVE-2022-26007
InHand Networks InRouter302
TALOS-2022-1474
CVE-2022-26020
InHand Networks InRouter302
TALOS-2022-1473
CVE-2022-26085
InHand Networks InRouter302
TALOS-2022-1472
CVE-2022-21182
InHand Networks InRouter302
TALOS-2022-1471
CVE-2022-24910
InHand Networks InRouter302
TALOS-2022-1470
CVE-2022-25172
InHand Networks InRouter302
TALOS-2022-1469
CVE-2022-21238
InHand Networks InRouter302
TALOS-2022-1468
CVE-2022-21809
InHand Networks InRouter302
TALOS-2019-0776
CVE-2019-5017
KCodes NetUSB.ko
TALOS-2019-0775
CVE-2019-5016
KCodes NetUSB.ko
TALOS-2018-0625
CVE-2018-3953 - CVE-2018-3955
Linksys E Series
TALOS-2023-1723
CVE-2023-25582 - CVE-2023-25583
Milesight UR32L
TALOS-2023-1718
CVE-2023-24019
Milesight UR32L
TALOS-2023-1716
CVE-2023-25081 - CVE-2023-25124
Milesight UR32L
TALOS-2023-1715
CVE-2023-24018
Milesight UR32L
TALOS-2023-1714
CVE-2023-22653
Milesight UR32L
TALOS-2023-1713
CVE-2023-24595
Milesight UR32L
TALOS-2023-1712
CVE-2023-22299
Milesight UR32L
TALOS-2023-1711
CVE-2023-22365
Milesight UR32L
TALOS-2023-1710
CVE-2023-24582 - CVE-2023-24583
Milesight UR32L
TALOS-2023-1706
CVE-2023-24519 - CVE-2023-24520
Milesight UR32L
TALOS-2023-1705
CVE-2023-23546
Milesight UR32L
TALOS-2023-1699
CVE-2023-22659
Milesight UR32L
TALOS-2023-1698
CVE-2023-22306
Milesight UR32L
TALOS-2023-1697
CVE-2023-23902
Milesight UR32L
TALOS-2023-1696
CVE-2023-23571
Milesight UR32L
TALOS-2023-1695
CVE-2023-23547
Milesight UR32L
TALOS-2023-1694
CVE-2023-23550
Milesight UR32L
TALOS-2023-1704
CVE-2023-24496 - CVE-2023-24497
MilesightVPN
TALOS-2023-1703
CVE-2023-22371
MilesightVPN
TALOS-2023-1702
CVE-2023-23907
MilesightVPN
TALOS-2023-1701
CVE-2023-22319
MilesightVPN
TALOS-2023-1700
CVE-2023-22844
MilesightVPN
TALOS-2022-1598
CVE-2022-38458
Netgear Orbi Router RBR750
TALOS-2022-1597
CVE-2022-36429
Netgear Orbi Satellite RBS750
TALOS-2022-1596
CVE-2022-37337
Netgear Orbi Router RBR750
TALOS-2022-1595
CVE-2022-38452
Netgear Orbi Router RBR750
TALOS-2019-0893
CVE-2019-5101 - CVE-2019-5102
OpenWrt
TALOS-2022-1580
CVE-2022-34845
Robustel R1510
TALOS-2022-1579
CVE-2022-33897
Robustel R1510
TALOS-2022-1578
CVE-2022-34850
Robustel R1510
TALOS-2022-1577
CVE-2022-33150
Robustel R1510
TALOS-2022-1576
CVE-2022-32765
Robustel R1510
TALOS-2022-1575
CVE-2022-35261-CVE-2022-35271
Robustel R1510
TALOS-2022-1573
CVE-2022-33325-CVE-2022-33329
Robustel R1510
TALOS-2022-1572
CVE-2022-33312-CVE-2022-33314
Robustel R1510
TALOS-2022-1571
CVE-2022-28127
Robustel R1510
TALOS-2022-1570
CVE-2022-32585
Robustel R1510
TALOS-2018-0756
CVE-2018-4072 - CVE-2018-4073
Sierra Wireless Airlink
TALOS-2018-0755
CVE-2018-4070 - CVE-2018-4071
Sierra Wireless Airlink
TALOS-2018-0754
CVE-2018-4069
Sierra Wireless Airlink
TALOS-2018-0753
CVE-2018-4068
Sierra Wireless Airlink
TALOS-2018-0752
CVE-2018-4067
Sierra Wireless Airlink
TALOS-2018-0751
CVE-2018-4066
Sierra Wireless Airlink
TALOS-2018-0750
CVE-2018-4065
Sierra Wireless Airlink
TALOS-2018-0749
CVE-2018-4064
Sierra Wireless Airlink
TALOS-2018-0748
CVE-2018-4063
Sierra Wireless Airlink
TALOS-2018-0747
CVE-2018-4062
Sierra Wireless Airlink
TALOS-2018-0746
CVE-2018-4061
Sierra Wireless Airlink
TALOS-2022-1640
CVE-2022-42490-CVE-2022-42493
Siretta QUARTZ-GOLD
TALOS-2022-1639
CVE-2022-41991
Siretta QUARTZ-GOLD
TALOS-2022-1638
CVE-2022-40222
Siretta QUARTZ-GOLD
TALOS-2022-1637
CVE-2022-41154
Siretta QUARTZ-GOLD
TALOS-2022-1615
CVE-2022-38066
Siretta QUARTZ-GOLD
TALOS-2022-1613
CVE-2022-40985-CVE-2022-41030
Siretta QUARTZ-GOLD
TALOS-2022-1612
CVE-2022-40220
Siretta QUARTZ-GOLD
TALOS-2022-1611
CVE-2022-39045
Siretta QUARTZ-GOLD
TALOS-2022-1610
CVE-2022-38715
Siretta QUARTZ-GOLD
TALOS-2022-1609
CVE-2022-38088
Siretta QUARTZ-GOLD
TALOS-2022-1608
CVE-2022-38459
Siretta QUARTZ-GOLD
TALOS-2022-1607
CVE-2022-40969
Siretta QUARTZ-GOLD
TALOS-2022-1606
CVE-2022-40701
Siretta QUARTZ-GOLD
TALOS-2022-1605
CVE-2022-36279
Siretta QUARTZ-GOLD
TALOS-2020-1064
None (Cloud)
Synology QuickConnect
TALOS-2020-1060
None (Cloud)
Synology QuickConnect
TALOS-2020-1087
CVE-2020-27659-CVE-2020-27660
Synology SRM
TALOS-2020-1086
CVE-2020-27658
Synology SRM
TALOS-2020-1071
CVE-2020-27656-CVE-2020-27657
Synology SRM
TALOS-2020-1066
CVE-2020-27655
Synology SRM
TALOS-2020-1065
CVE-2020-27654, CVE-2020-11117
Synology SRM
TALOS-2020-1061
CVE-2020-27652-CVE-2020-27653
Synology SRM
TALOS-2020-1059
CVE-2020-27650-CVE-2020-27651
Synology SRM
TALOS-2020-1058
CVE-2020-27648-CVE-2020-27649
Synology SRM
TALOS-2020-1051
CVE-2019-11823
Synology SRM
TALOS-2022-1507
CVE-2022-26346
TCL LinkHub Mesh Wifi
TALOS-2022-1506
CVE-2022-27178
TCL LinkHub Mesh Wifi
TALOS-2022-1505
CVE-2022-27185
TCL LinkHub Mesh Wifi
TALOS-2022-1504
CVE-2022-27630
TCL LinkHub Mesh Wifi
TALOS-2022-1503
CVE-2022-27633
TCL LinkHub Mesh Wifi
TALOS-2022-1502
CVE-2022-27660
TCL LinkHub Mesh Wifi
TALOS-2022-1484
CVE-2022-26342
TCL LinkHub Mesh Wifi
TALOS-2022-1483
CVE-2022-26009
TCL LinkHub Mesh Wifi
TALOS-2022-1482
CVE-2022-25996
TCL LinkHub Mesh Wifi
TALOS-2022-1463
CVE-2022-24005 - CVE-2022-24029
TCL LinkHub Mesh Wifi
TALOS-2022-1462
CVE-2022-23103
TCL LinkHub Mesh Wifi
TALOS-2022-1459
CVE-2022-22144
TCL LinkHub Mesh Wifi
TALOS-2022-1458
CVE-2022-22140
TCL LinkHub Mesh Wifi
TALOS-2022-1457
CVE-2022-21178
TCL LinkHub Mesh Wifi
TALOS-2022-1456
CVE-2022-21201
TCL LinkHub Mesh Wifi
TALOS-2022-1455
CVE-2022-23918 - CVE-2022-23919
TCL LinkHub Mesh Wifi
TALOS-2022-1454
CVE-2022-23399
TCL LinkHub Mesh Wifi
TALOS-2018-0620
CVE-2018-3951
TP-Link TL-R600VPN
TALOS-2018-0619
CVE-2018-3950
TP-Link TL-R600VPN
TALOS-2018-0618
CVE-2018-3949
TP-Link TL-R600VPN
TALOS-2018-0617
CVE-2018-3948
TP-Link TL-R600VPN
TALOS-2021-1321
CVE-2021-21749
ZTE MF971R
TALOS-2021-1320
CVE-2021-21748
ZTE MF971R
TALOS-2021-1319
CVE-2021-21747
ZTE MF971R
TALOS-2021-1318
CVE-2021-21746
ZTE MF971R
TALOS-2021-1317
CVE-2021-21745
ZTE MF971R
TALOS-2021-1316
CVE-2021-21744
ZTE MF971R
TALOS-2021-1313
CVE-2021-21743
ZTE MF971R
Related news
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.This XSS is exploited through the remote_subnet field of the database
A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.
A sql injection vulnerability exists in the requestHandlers.js LoginAuth functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a malicious packet to trigger this vulnerability.
Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.This XSS is exploited through the remote_subnet field of the database
An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability.
An OS command injection vulnerability exists in the ys_thirdparty user_delete functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the urvpn_client http_connection_readcb functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
An OS command injection vulnerability exists in the ys_thirdparty check_system_user functionality of Milesight UR32L v32.3.0.5. A specially crafted set of network packets can lead to command execution. An attacker can send a network request to trigger this vulnerability.
A directory traversal vulnerability exists in the luci2-io file-export mib functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.
An access violation vulnerability exists in the eventcore functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to denial of service. An attacker can send a network request to trigger this vulnerability.
An OS command injection vulnerability exists in the vtysh_ubus _get_fw_logs functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.
Two OS command injection vulnerabilities exist in the zebra vlan_name functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is in the code branch that manages a new vlan configuration.
An OS command injection vulnerability exists in the ys_thirdparty system_user_script functionality of Milesight UR32L v32.3.0.5. A specially crafted series of network requests can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.
An OS command injection vulnerability exists in the libzebra.so bridge_group functionality of Milesight UR32L v32.3.0.5. A specially crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Two OS command injection vulnerabilities exist in the zebra vlan_name functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is in the code branch that manages a new vlan configuration.
An os command injection vulnerability exists in the libzebra.so change_hostname functionality of Milesight UR32L v32.3.0.5. A specially-crafted network packets can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to a buffer overflow. An attacker can send HTTP requests to trigger these vulnerabilities.This buffer overflow occurs in the set_openvpn_client function with the remote_subnet and the remote_mask variables.
A misconfiguration vulnerability exists in the urvpn_client functionality of Milesight UR32L v32.3.0.5. A specially-crafted man-in-the-middle attack can lead to increased privileges. An attacker can perform a man-in-the-middle attack to trigger this vulnerability.
Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to a buffer overflow. An attacker can send HTTP requests to trigger these vulnerabilities.This buffer overflow occurs in the set_openvpn_client function with the remote_subnet and the remote_mask variables.
A stack-based buffer overflow vulnerability exists in the libzebra.so.0.0.0 security_decrypt_password functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to a buffer overflow. An authenticated attacker can send an HTTP request to trigger this vulnerability.
An OS command injection vulnerability exists in the vtysh_ubus tcpdump_start_cb functionality of Milesight UR32L v32.3.0.5. A specially crafted HTTP request can lead to command execution. An attacker can send an HTTP request to trigger this vulnerability.
Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet.
Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet.
An os command injection vulnerability exists in the liburvpn.so create_private_key functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to command execution. An attacker can send a malicious packet to trigger this vulnerability.
A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000,
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Categories: News Tags: ASUS Tags: router Tags: models Tags: CVE-2022-26376 Tags: CVE-2018-1160 Tags: Netatalk Tags: disable WAN ASUS has released firmware updates for several router models fixing two critical and several other security issues. (Read more...) The post Update now! ASUS fixes nine security flaws appeared first on Malwarebytes Labs.
ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403 uses sensitive cookies without 'Secure' attribute. When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted ('http') connection, the user's session may be hijacked.
A command execution vulnerability exists in the access control functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
A cleartext transmission vulnerability exists in the Remote Management functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted man-in-the-middle attack can lead to a disclosure of sensitive information.
Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.
Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.
Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.
Cisco Talos recently discovered four vulnerabilities in the Netgear Orbi mesh wireless system, including the main hub router and satellite routers that extend the network’s range.
An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.
A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.
A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.
An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.
A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.
A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.
A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.
An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
An information disclosure vulnerability exists in the cm_processREQ_NC opcode of Asus RT-AX82U 3.0.0.4.386_49674-ge182230 router's configuration service. A specially-crafted network packets can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.
A denial of service vulnerability exists in the cfg_server cm_processConnDiagPktList opcode of Asus RT-AX82U 3.0.0.4.386_49674-ge182230 router's configuration service. A specially-crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
An authentication bypass vulnerability exists in the get_IFTTTTtoken.cgi functionality of Asus RT-AX82U 3.0.0.4.386_49674-ge182230. A specially-crafted HTTP request can lead to full administrative access to the device. An attacker would need to send a series of HTTP requests to exploit this vulnerability.
Lilith >_> of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via
Lilith >_> of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via
Lilith >_> of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. Like other routers, it is configurable via
The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability.
A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.
A leftover debug code vulnerability exists in the console verify functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability.
A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
A leftover debug code vulnerability exists in the console infct functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to execution of privileged operations. An attacker can send a sequence of requests to trigger this vulnerability.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
This is just the latest set of vulnerabilities Talos has discovered in the InRouter302.
A firmware update vulnerability exists in the sysupgrade functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network packet can lead to arbitrary firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
An OS command injection vulnerability exists in the web_server /action/import_authorized_keys/ functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.The `/action/import_file/` API is affected by command injection vulnerability.
A directory traversal vulnerability exists in the web_server /ajax/remove/ functionality of Robustel R1510 3.1.16. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
A denial of service vulnerability exists in the web_server hashFirst functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to denial of service. An attacker can send a sequence of requests to trigger this vulnerability.The `/action/import_file/` API is affected by command injection vulnerability.
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.
A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
A denial of service vulnerability exists in the confctl_set_master_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
A buffer overflow vulnerability exists in the confsrv ucloud_set_node_location functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A denial of service vulnerability exists in the ucloud_del_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability.
A memory corruption vulnerability exists in the httpd unescape functionality of Asuswrt prior to 3.0.0.4.386_48706 and Asuswrt-Merlin New Gen prior to 386.7.. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the confsrv ucloud_set_node_location functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the confsrv addTimeGroup functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A buffer overflow vulnerability exists in the GetValue functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted configuration value can lead to a buffer overflow. An attacker can modify a configuration value to trigger this vulnerability.This vulnerability represents all occurances of the buffer overflow vulnerability within the ap_steer binary.
A memory corruption vulnerability exists in the httpd unescape functionality of DD-WRT Revision 32270 - Revision 48599. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the confsrv confctl_set_app_language functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A hard-coded password vulnerability exists in the libcommonprod.so prod_change_root_passwd functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. During system startup this functionality is always called, leading to a known root password. An attacker does not have to do anything to trigger this vulnerability.
An os command injection vulnerability exists in the confsrv ucloud_add_node functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.
An os command injection vulnerability exists in the confsrv ucloud_add_new_node functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a malicious packet to trigger this vulnerability.
A stack-based buffer overflow vulnerability exists in the confers ucloud_add_node_new functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.The `freshtomato-arm` has a vulnerable URL-decoding feature that can lead to memory corruption.
A stack-based buffer overflow vulnerability exists in the confsrv set_mf_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability leverages the name field within the protobuf message to cause a buffer overflow.
A stack-based buffer overflow vulnerability exists in the confsrv set_mf_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.This vulnerability leverages the name field within the protobuf message to cause a buffer overflow.
A stack-based buffer overflow vulnerability exists in the confsrv set_port_fwd_rule functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to stack-based buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
A memory corruption vulnerability exists in the httpd unescape functionality of FreshTomato 2022.1. A specially-crafted HTTP request can lead to memory corruption. An attacker can send a network request to trigger this vulnerability.The `freshtomato-arm` has a vulnerable URL-decoding feature that can lead to memory corruption.
A buffer overflow vulnerability exists in the GetValue functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted configuration value can lead to a buffer overflow. An attacker can modify a configuration value to trigger this vulnerability.This vulnerability represents all occurances of the buffer overflow vulnerability within the ap_steer binary.
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
By Francesco Benvenuto. Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? The answer is that the s+3, in the strcpy, will access after the end of the string. So, it could lead to memory corruption. Then, I tried to exploit this bug on the router in question. But based on how the URL string was managed in that device, it was not possible. But it had the potential to crash other web servers that used this piece of code. That function belonged to the freshtomato library. So, I searched for the source code and noticed that at the beginning of the file containing that function, there was the following comment: It was code fr...
A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability.
Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability.
A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability.
Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability.
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]
A firmware update vulnerability exists in the iburn firmware checks functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted HTTP request can lead to firmware update. An attacker can send a sequence of requests to trigger this vulnerability.
An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.
An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.
A privilege escalation vulnerability exists in the router configuration import functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to increased privileges. An attacker can send an HTTP request to trigger this vulnerability.
A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.
An OS command injection vulnerability exists in the console infactory_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw. Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a... [[ This is only the beginning! Please visit the blog for the complete entry ]]
An information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. A specially-crafted network request can lead to command execution. An attacker can connect to the MQTT service to trigger this vulnerability.
An information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. A specially-crafted network request can lead to command execution. An attacker can connect to the MQTT service to trigger this vulnerability.
An information disclosure vulnerability exists in the WiFi Smart Mesh functionality of D-LINK DIR-3040 1.13B03. A specially-crafted network request can lead to command execution. An attacker can connect to the MQTT service to trigger this vulnerability.
A hard-coded password vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of requests to trigger this vulnerability.
A code execution vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
An information disclosure vulnerability exists in the Syslog functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
A hard-coded password vulnerability exists in the Libcli Test Environment functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to code execution. An attacker can send a sequence of requests to trigger this vulnerability.
An information disclosure vulnerability exists in the Zebra IP Routing Manager functionality of D-LINK DIR-3040 1.13B03. A specially crafted network request can lead to the disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
CRLF injection vulnerability in Network Center in Synology Router Manager (SRM) before 1.2.3-8017-2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. After an SSL connection is initialized via _ustream_ssl_init, and after any data (e.g. the client's HTTP request) is written to the stream using ustream_printf, the code eventually enters the function __ustream_ssl_poll, which is used to dispatch the read/write events
An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1. When connecting to a remote server, the server's SSL certificate is checked but no action is taken when the certificate is invalid. An attacker could exploit this behavior by performing a man-in-the-middle attack, providing any certificate, leading to the theft of all the data sent by the client during the first request. After an SSL connection is initialized via _ustream_ssl_init, and after any data (e.g. the client's HTTP request) is written to the stream using ustream_printf, the code eventually enters the function __ustream_ssl_poll, which is used to dispatch the read/write events
An exploitable remote code execution vulnerability exists in the HTTP header-parsing function of the TP-Link TL-R600VPN HTTP Server. A specially crafted HTTP request can cause a buffer overflow, resulting in remote code execution on the device. An attacker can send an authenticated HTTP request to trigger this vulnerability.
An exploitable remote code execution vulnerability exists in the ping and tracert functionality of the TP-Link TL-R600VPN HWv3 FRNv1.3.0 and HWv2 FRNv1.2.3 http server. A specially crafted IP address can cause a stack overflow, resulting in remote code execution. An attacker can send a single authenticated HTTP request to trigger this vulnerability.
An exploitable information disclosure vulnerability exists in the HTTP server functionality of the TP-Link TL-R600VPN. A specially crafted URL can cause a directory traversal, resulting in the disclosure of sensitive system files. An attacker can send either an unauthenticated or an authenticated web request to trigger this vulnerability.
An exploitable denial-of-service vulnerability exists in the URI-parsing functionality of the TP-Link TL-R600VPN HTTP server. A specially crafted URL can cause the server to stop responding to requests, resulting in downtime for the management portal. An attacker can send either an unauthenticated or authenticated web request to trigger this vulnerability.