Routers and NAS From Major Manufacturers Full of Flaws
Over a hundred vulnerabilities have been found in SOHO routers and network attached storage devices from manufacturers including Asus, Zyxel, Lenovo, and Netgear, which open them up to remote attacks. Security experts tested 13 different models which resulted in 125 different CVEs. The devices ranged from devices general consumers to high-end devices.
All 13 of the devices evaluated had at least one web application vulnerability such as cross-site scripting, operating system command injection, or SQL injection that could be used by hackers to get remote access to the device’s shell or gain access to the device's administrative panel. Root shell access was gained on 12 of the devices, allowing complete control over the device. Six of those devices could be remotely exploited without authentication.
The Buffalo TeraStation TS5600D1206, an enterprise-grade NAS has an issue in the way it handles cookies. An attack could enable or disable services, or perform other actions available through the web application. The Netgear Nighthawk X10 R9000 was vulnerable to code-injection, including a SOAP-based mobile application that allows administrators to manipulate common network settings, view device logs, manage Quality of Service as well as various other settings.
The researchers took inventory of what basic security measures are built into these types of devices. They found that some of the routers and NAS did have enhanced features. Asus routers are designed with address-space layout randomization, a hardening feature that makes the exploitation of buffer-overflow attacks more difficult. Some manufacturers are using functionality that hinders reverse engineering. The Terramaster F2-420 encrypts files used to serve their PHP web application using a PHP module called screw_aes, making it more difficult to access the source code of the administrative panel. The Seagate STCR3000101 has its own request integrity verification mechanism that prevents attackers from modifying requests HTTP requests.
Commonly found web application features like anti-CSRF tokens and browser security headers weren't used in many devices. These mechanisms can enhance the security of web applications and the underlying systems they interact with. Researchers disclosed the issues to the manufacturers, most were responsive and took mitigation steps. However, Drobo, Buffalo Americas, or Zioncom Holdings have yet to respond to the findings.