Security Week 28: vulnerability in powerline extender

Don't you think there is less research into home router vulnerabilities? We don't think, but recently poorly protected devices that transmit data over electrical wires have been added to routers. Such adapters do not differ from ordinary routers in anything, except for the connection method, and also contain full-fledged control software, not without drawbacks. Three vulnerabilities were found in the Tenda PA6 device ( news , original publication ), two of which allow getting full control over this "Wi-Fi extender".



Two of the three vulnerabilities belong to the same class: the device's web interface does not validate user-entered data, which allows an attacker to run arbitrary code with the highest privileges. In one case, a function is used that allows you to rename one of the powerline devices on the network. Another is the function of adding a Wi-Fi device to the trusted list. There is only one problem on the path of a potential attacker - two methods of executing commands with root rights do not work without authorization. But, as usual, this was not a major obstacle due to the default password for accessing the web interface: admin.



The third vulnerability does not require authorization at all, but it also does not provide control over the device. To communicate with network adapters (of which, according to the logic of Homeplug connections, there should be two or more), port 48912 is used, when connected to which, you can change the name of the internal network for data exchange through electrical wires. After changing the network name, the key for data encryption is also changed - this was done, among other things, to avoid conflicts between two different Homeplug networks, and, apparently, this interface is used during the initial setup. Result: if desired, you can organize a cyclic reboot of the adapters and their complete inoperability.



As usual, when analyzing the firmware, the "tails" of the debug mode were found: a complete dump of the firmware can be obtained through the web interface, and the login and password for accessing the device via the "emergency" UART connection are embedded in the code. Even sadder, the manufacturer did not respond to requests from researchers from the IBM laboratory. The combination of the default password and two discovered vulnerabilities allows you to attack a device remotely, all you need to do is to lure its owner into a prepared web page.



What else happened



A 10-point vulnerability found and patched in F5 BIG-IP corporate networking solutions .



Kaspersky Lab experts analyze in detail the reincarnation of the Rovnix bootkit. The source code of this malware was leaked to the public back in 2013, and a fresh modification is being distributed under the guise of an "important message from WHO" about the coronavirus epidemic.



Cisco Closes Vulnerability in Small Business Network Switches. Using brute force, you can pick up the current session ID and take control of devices.





The publication ArsTechnica publishes the results of an interesting study: what words can be used to activate the voice assistant, in addition to the standard ones. For example, instead of "Hey Siri" you can say "a city". The reason for this behavior is the desire of the developer to increase the chances of the system triggering when it is accessed, while allowing false activation. The problem is that from such positives, private negotiations are written and decrypted on the vendor's server.



An extraordinary patch for Windows 10 closes a critical vulnerability in the built-in media codec library that could lead to arbitrary code execution.



At the end of June we wroteabout vulnerabilities in (at least) 79 Netgear routers. Six months after notifying the vendor, you can estimate the speed of patch release: only 28 devices received the update.



All Articles