Asus, Lenovo and Other Routers Riddled with Remotely Exploitable Bugs

lenovo asus router bugs

Independent researchers found 125 different CVEs across 13 different router and NAS models.

More than a hundred vulnerabilities have been found in small office/home office (SOHO) routers and network-attached storage devices (NAS) from vendors that include Asus, Zyxel, Lenovo, Netgear and other top names, which open them up to remote attackers.

That’s according to Independent Security Evaluators, which pen-tested 13 different models, resulting in 125 different CVEs. The targets ranged from devices designed for general consumers to high-end devices designed for enterprise use; and across the board, the results were not pretty.

“All 13 of the devices we evaluated had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel,” the researchers said in a paper released on Monday. “We obtained root shells on 12 of the devices, allowing complete control over the device, including six which can be remotely exploited without authentication: The Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.”

As far as individual bugs, the team highlighted several in the paper. For instance, the Buffalo TeraStation TS5600D1206, an enterprise-grade NAS that features a web application where users manage the services running on their device, has an issue in the way it handles cookies. An exploit could be used to enable or disable services, or perform other actions available through the web application.

“The TeraStation’s web application uses browser cookies as part of their authentication workflow and a JSON-RPC API available at the /nasapi endpoint to interact with the device,” explained the researchers. “Whenever the user issues a request to an API endpoint, the backend verifies that the request contains a cookie that has been associated with a valid user and then verifies the user’s authorization. We discovered that changing the HTTP Host request header to or localhost (the IP address and name for the loopback interface) bypasses authentication and authorization checks. As a result, any user with network level access to this device can issue requests without authentication.”

In another instance, the Netgear Nighthawk X10 R9000 (a high-end flagship router) was found to be vulnerable to code-injection, including via a SOAP-based mobile application that allows administrators to manipulate common network settings, view device logs, manage Quality of Service as well as various other settings.Click to enlarge.

“Initial testing of the administrative mobile application revealed that the ‘X-Forwarded-For’ HTTP header is interpreted by the application,” said the researchers. “This header is commonly used by load balancers to convey a client’s IP address to downstream services, but it can lead to unexpected issues if used improperly. This device appears to interpret the header’s contents as the client’s real IP address, overriding any previous values. This device also appears to whitelist requests from its own IP address, allowing internal use of the API without managing authentication. When combined, these two functionalities give an attacker the ability to bypass all authentication checks on the SOAP API. This is due to the fact that the X-Forwarded-For HTTP header is client-controlled, and the device is not protected by any sort of load balancer or reverse proxy. Furthermore, the X-Forwarded-For header is not a forbidden header. As such, it may be sent via XHR requests in JavaScript.”

The analysis also took stock of what basic security measures are typically built into these types of devices in general; it found that some of the examined routers and NAS did have enhanced features.

“For example…Asus routers [are designed] with address-space layout randomization (ASLR), a hardening feature that makes the exploitation of buffer-overflow attacks more difficult,” according to the report. “We also found that some manufacturers have implemented functionality that hinders reverse engineering. The Terramaster F2-420 encrypts files used to serve their PHP web application using a PHP module called ‘screw_aes,’ complicating the process of accessing the source code of the administrative panel. The Seagate STCR3000101 has its own request integrity verification mechanism that prevents attackers from modifying requests HTTP requests.”

Nonetheless, commonly found web application features like anti-CSRF tokens and browser security headers were few and far between in the sample set.

“These defense-in-depth mechanisms can greatly enhance the security posture of web applications and the underlying systems they interact with,” said the researchers. “In many cases, our remote exploits wouldn’t have worked if customary web application security practices had been implemented.”

ISE responsibly disclosed the issues to the manufacturers, most of which were responsive and took mitigation steps, researchers said; however, they weren’t able to get anywhere with Drobo, Buffalo Americas, or Zioncom Holdings.

“We have yet to receive any new communication from Buffalo Americas Inc., and Zioncom Holdings Ltd. as of the date we published this paper,” they wrote. “We were able to get in contact Drobo Inc.; however, we did not receive any other communications after we re-sent them our findings.”

None of the three immediately responded to a request for comment from Threatpost.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles