Major security issues in small office and home routers have again been highlighted after TippingPoint’s Zero Day Initiative (ZDI) publicly disclosed a new vulnerability which could allow attackers to remotely execute malicious code on devices.
The remote code execution bug, CVE-2014-8361, affects the RealTek SDK, which means routers from D-Link and Trendnet for sure, but probably many others too.
The ZDI advisory had the following:
“The specific flaw exists within the miniigd SOAP service. The issue lies in the handling of the NewInternalClient requests due to a failure to sanitize user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges.”
HP-owned TippingPoint – which was told of the bug by researcher Ricky ‘HeadlessZeke’ Lawshae – decided to go public with the flaw after months of inaction by RealTek, despite telling the vendor about the vulnerability way back in August last year.
ZDI said in its advisory that the only effective mitigation strategy would be to “restrict interaction with the service to trusted machines.”
“Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it,” it added. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”
The disclosure is the latest in a string of similar incidents involving SOHO routers.
Most recently, D-Link was forced to push out firmware updates to some of its models to address remote code injection, DNS hijacking and other flaws.
Rapid7 security engineering manager, Tod Beardlsey, argued that patch management of home routers is “usually non-existent” because vulnerabilities mainly cause no noticeable difference in performance, and no one company takes responsibility for patching as the ecosystem is fragmented.
“There are some open source projects, such as OpenWRT and AdvancedTomato which offer much more frequent updates to the firmware that drives several versions of common, off-the-shelf router/modem hardware, but the onus is on the user to ensure that these are up to date,” he added.
“So, there are alternatives to the stock firmware offered by D-Link, Linksys, Buffalo, and other vendors, but there is definitely a maintenance cost associated with them, not the least of which is warranty violation.”