Vulns out of the box: 12 in 13 small biz network devices terribly insecure by default – research

A new report has suggested that 12 out of 13 network devices, such as routers and network-attached storage appliances, are vulnerable to hacks that enable "root-privileged access without any authentication".

Security consultants ISE took a look at devices from well-known vendors including Buffalo, Synology, Zyxel, Drobo, Asus, Seagate, Lenovo, QNAP and Netgear. They were evaluated out of the box, including running setup wizards and enabling recommended security features, in order to mimic a "typical use configuration".

The news is not good. "We obtained root shells on 12 of the devices, allowing complete control over the device including 6 which can be remotely exploited without authentication," said the report.

The vulnerabilities discovered are familiar, including buffer overflow (Asus), cross-site scripting (most of them), command injection (most of them), authentication and authorization bypass (Buffalo, Netgear, TerraMaster, Drobo and Totolink), Cross-site request forgery (TerraMaster, Zyxel, Totolink, QNAP, Lenovo) and file upload path traversal (Buffalo, TerraMaster, Asus, Seagate, QNAP, Lenovo).

Compromising a network device could have consequences including theft of data, installation of malicious applications, and increased risk of further network access.

Does the attacker need to be on the local area network (LAN) in order to execute these attacks? It depends. "Although all of the examples shown above assume that an attacker is on the LAN network, they may be performed remotely via DNS rebinding," said the report. "Such an attack functions similarly to Cross-Site Request Forgery, involving a victim on the router's LAN visiting an attacker-controlled page which instructs the victim’s browser to issue malicious requests to the router."

The researchers said they practiced responsible disclosure, but in some cases this itself was challenging. While most manufacturers were responsive, three (Drobo, Buffalo and Zioncom, which makes the Totolink product) "did not respond to our inquiries despite numerous attempts".

Synology's device turned out to be hardest to compromise, though not flawless, and the team were unable to get root access in this case.

The new report follows a similar one published in 2013. Has device security improved in that time? The researchers concluded that despite increased attention to security, "common devices that are deployed in small office and home office environments are likely vulnerable to exploits".

The advice to users is to harden devices by disabling unused features, enabling security controls, and patching firmware regularly. It is a safe bet that many users will not do so, particularly in the home and small business world where appliances tend to be left alone. Device manufacturers could help by disabling most features by default, so users would enable only what they require. That may be set against the desire to make devices easy to use and avoid users contacting support to complain that some advertised feature is not working.

The researchers also singled out remote-access features as the most risky and said they "should be avoided when possible as they expose the device to adversaries on the Internet, rather than limiting threats to those on an internal network". ®