Vulns out of the box: 12 in 13 small biz network devices terribly insecure by default – research

You want root shell access? No problem


A new report has suggested that 12 out of 13 network devices, such as routers and network-attached storage appliances, are vulnerable to hacks that enable "root-privileged access without any authentication".

Security consultants ISE took a look at devices from well-known vendors including Buffalo, Synology, Zyxel, Drobo, Asus, Seagate, Lenovo, QNAP and Netgear. They were evaluated out of the box, including running setup wizards and enabling recommended security features, in order to mimic a "typical use configuration".

The news is not good. "We obtained root shells on 12 of the devices, allowing complete control over the device including 6 which can be remotely exploited without authentication," said the report.

The vulnerabilities discovered are familiar, including buffer overflow (Asus), cross-site scripting (most of them), command injection (most of them), authentication and authorization bypass (Buffalo, Netgear, TerraMaster, Drobo and Totolink), Cross-site request forgery (TerraMaster, Zyxel, Totolink, QNAP, Lenovo) and file upload path traversal (Buffalo, TerraMaster, Asus, Seagate, QNAP, Lenovo).

Compromising a network device could have consequences including theft of data, installation of malicious applications, and increased risk of further network access.

Does the attacker need to be on the local area network (LAN) in order to execute these attacks? It depends. "Although all of the examples shown above assume that an attacker is on the LAN network, they may be performed remotely via DNS rebinding," said the report. "Such an attack functions similarly to Cross-Site Request Forgery, involving a victim on the router's LAN visiting an attacker-controlled page which instructs the victim’s browser to issue malicious requests to the router."

The researchers said they practiced responsible disclosure, but in some cases this itself was challenging. While most manufacturers were responsive, three (Drobo, Buffalo and Zioncom, which makes the Totolink product) "did not respond to our inquiries despite numerous attempts".

Synology's device turned out to be hardest to compromise, though not flawless, and the team were unable to get root access in this case.

The new report follows a similar one published in 2013. Has device security improved in that time? The researchers concluded that despite increased attention to security, "common devices that are deployed in small office and home office environments are likely vulnerable to exploits".

The advice to users is to harden devices by disabling unused features, enabling security controls, and patching firmware regularly. It is a safe bet that many users will not do so, particularly in the home and small business world where appliances tend to be left alone. Device manufacturers could help by disabling most features by default, so users would enable only what they require. That may be set against the desire to make devices easy to use and avoid users contacting support to complain that some advertised feature is not working.

The researchers also singled out remote-access features as the most risky and said they "should be avoided when possible as they expose the device to adversaries on the Internet, rather than limiting threats to those on an internal network". ®

Similar topics


Other stories you might like

  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Alcatel-Lucent Enterprise adds Wi-Fi 6E to 'premium' access points
    Company claims standard will improve performance in dense environments

    Alcatel-Lucent Enterprise is the latest networking outfit to add Wi-Fi 6E capability to its hardware, opening up access to the less congested 6GHz spectrum for business users.

    The France-based company just revealed the OmniAccess Stellar 14xx series of wireless access points, which are set for availability from this September. Alcatel-Lucent Enterprise said its first Wi-Fi 6E device will be a high-end "premium" Access Point and will be followed by a mid-range product by the end of the year.

    Wi-Fi 6E is compatible with the Wi-Fi 6 standard, but adds the ability to use channels in the 6GHz portion of the spectrum, a feature that will be built into the upcoming Wi-Fi 7 standard from the start. This enables users to reduce network contention, or so the argument goes, as the 6GHz portion of the spectrum is less congested with other traffic than the existing 2.4GHz and 5GHz frequencies used for Wi-Fi access.

    Continue reading

Biting the hand that feeds IT © 1998–2022