Authentication Bypass, Potential Backdoors Plague Old WiMAX Routers

WiMAX routers manufactured by several companies, including Huawei and ZyXEL, are vulnerable to an authentication bypass and potential backdoors.

WiMAX routers manufactured by several companies, including Huawei and ZyXEL, are vulnerable to an authentication bypass that could let an attacker change the password of the admin user, gain access to the device, or the network behind it.

Stefan Viehböck, a researcher with SEC Consult Vulnerability Lab, a software-testing firm based in Vienna, Austria, discovered the issue last September. It wasn’t until Wednesday that Viehböck, along with the CERT Coordination Center at the Software Engineering Institute at Carnegie Mellon University, were able to disclose the vulnerability.

The issue, which garnered a critical base CVSS rating of 10.0, exists in routers distributed to subscribers by WiMAX ISPs.

Usage of WiMAX – a family of wireless communication standards – has declined over the years, especially with operators switching to LTE, but the technology is still used in hundreds of networks worldwide.

According to Viehböck an attacker can set arbitrary configuration values by sending a crafted POST request to the routers’ commit2.cgi uniform resource identifier (URI) without authentication. In a proof of concept also published Wednesday the researcher explains how he could use a HTTP request to set the admin username and password to “admin,” and therefore, log into the device with admin permissions.

Viehböck warns the following router models are likely affected and should be decommissioned-:

  • GreenPacket OX350 (Version: ?)
  • GreenPacket OX-350 (Version: ?)
  • Huawei BM2022 (Version: v2.10.14)
  • Huawei HES-309M (Version: ?)
  • Huawei HES-319M (Version: ?)
  • Huawei HES-319M2W (Version: ?)
  • Huawei HES-339M (Version: ?)
  • MADA Soho Wireless Router (Version: v2.10.13)
  • ZTE OX-330P (Version: ?)
  • ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
  • ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
  • ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
  • ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
  • ZyXEL MAX318M (Version: ?)
  • ZyXEL MAX338M (Version: ?)

Many of the devices are old; Huawei told Viehböck back in September when he first brought the issue to the company’s attention that its routers would not receive an update for the issue. Huawei told the researcher it marked them EOS, or end of service, back in 2014.

Viehböck and SEC Consult say it’s unlikely any of the devices will receive updates so they’re encouraging owners to replace them.

In addition to Huawei, Viehböck was able to determine routers from GreenPacket, MADA, and ZTE were also vulnerable by using a tool to scan a data set containing other products that use WiMAX’s firmware for the commit2.cgi vulnerability.

While scanning, the tool picked up a handful of of hardcoded Unix-style password hashes, something Viehböck believes to be associated with backdoor accounts, potentially introduced by the devices’ original equipment manufacturer.

Viehböck called the hashes “OEM Backdoors in practice” on Wednesday and said at one point he hypothesized that MediaTek, a Taiwanese company that makes the hardware that contains the library (libmtk_httpd_plugin.so) that contains commit2.cgi, was behind them.

“This makes sense because the affected devices are all based on MediaTek hardware. These SDKs often come with everything that is required to use the hardware and even contain with a working web interface,” Viehböck wrote Wednesday, “Vendors can choose to use the whole SDK to build their product or just use some drivers/middleware and build the rest themselves.”

According to Viehböck, when CERT/CC got in touch with MediaTek however it said it wasn’t responsible for the SDK code, instead suggesting that ZyXEL, the Taiwanese router manufacturer, added the vulnerable code.

It’s a complicated timeline that Viehböck explains as follows:

MediaTek manufactures a SoC for WiMAX products, provides SDK with sample web interface code to vendors.

ZyXEL and their sister company MitraStar develops firmware based on the MediaTek SDK, introduces the “commit2.cgi vulnerability” and the “OEM backdoors”.

ZyXEL sells the products to ISPs.

MitraStar works as an OEM for GreenPacket, Huawei, ZTE… who also sell the products to ISPs.

ISPs sell/lease the devices to their subscribers as customer premises equipment (CPE).

ZyXEL did not reply to inquiries made by CERT/CC, nor did it immediately return Threatpost’s request for comment on Wednesday.

ZyXEL told Threatpost on Friday* that it was working on a solution for router models susceptible to CVE-2017-3216.

In the meantime the company is encouraging users of devices to disable WAN device management:

  1. Log in the web-based management interface of the device
  2. Click “Maintenance” and “Remote MGMT”
  3. Disable (unclick) “HTTP and HTTPs – allow connection from WAN”
  4. Save the setting

It’s not the first time that researchers, or attackers for that matter, have managed to undermine the security of equipment made by the telecom.

Attackers exploited flawed implementation in some of the company’s routers to carry out Mirai-like attacks against Deutsche Telekom customers in Germany in November.

At Kaspersky Lab’s Security Analyst Summit in April, Peter Kruse, a researcher with Denmark’s CSIS Security Group, said a number of home routers made by ZyXEL were shipped with a default username and password, a loophole he saw Romanian cybercriminals leveraging as part of a phishing scheme.

The company told Threatpost in January that vulnerabilities in a number of routers made by the company and distributed by a Thai ISP would not be fixed, as they were no longer supported. The router models, ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, are different models than those named by SEC Consult on Wednesday however.

*This article was updated on June 10 to include a statement from ZyXEL.

Suggested articles