DSL routers from a number of manufacturers contain hard-coded credentials that could allow a hacker to access the devices via telnet services and remotely control them.
An advisory published Tuesday by the DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University said the issues are still present in the routers and that organizations could write firewall rules that block telnet or SNMP on the device as a temporary mitigation. Telnet network services are used by some manufacturers for remote support.
The affected routers are manufactured by ASUS Tek (DSL-N12E), DIGICOM (DG-5524T), Observa Telecom (RTA01N), Philippine Long Distance Telephone (SpeedSurf 504AN) and ZTE (ZXV10 W300).
CERT had issued a similar advisory in February 2014 for the ZTE device, but yesterday expanded it to include the other vendors.
In May, a post to the Full Disclosure security mailing list from a group of security researchers from Universidad Europea de Madrid rattled off sundry vulnerabilities they found in 22 different small office and home office routers, including the hard-coded credentials in Observa Telecom routers.
“A remote attacker may utilize these credentials to gain administrator access to the device,” CERT said in its advisory.
The hard-coded credentials include a user name of “admin” or some variation in all the devices, as well as similar passwords that include part of the router’s MAC address, which is obtainable over SNMP with community string public, CERT said.
CERT said that Asus was notified in May and PLDT in June of the issues affecting their respective routers, while ZTE was notified in December 2013.
Observa Telecom, a common router used in Spain by its major ISP Telefonica, suffered from a number of serious vulnerabilities, including persistent and unauthenticated cross-site scripting and cross-site request forgery on a number of its devices beyond the RTA01N in question here.
Home and small office routers are notoriously insecure and difficult to patch since they require new firmware and often those updates must be manually installed because there is no automated mechanism.
One of the biggest router disclosures came last December when Check Point Software Technologies published details on a vulnerability it called Misfortune Cookie. The flaw affected more than 12 million devices running an embedded webserver called RomPager; the vulnerability could give an attacker in man-in-the-middle position access to traffic entering and leaving routers built by most manufacturers. An attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device.