I was visiting the CERT site main page today for another reason when I glanced at the list of recent vulnerability bulletins and came across some news I had somehow missed before today: a notice that five rather serious vulnerabilities had been found in Belkin's N600 Wireless Dual Band N+ routers. Among them is this doozy:
CWE-603: Use of Client-Side Authentication - CVE-2015-5989
When a password is implemented in the Belkin N600 web management interface, authorization is enforced client-side by the browser. By intercepting packets from the embedded server containing the strings "LockStatus": "1" and "Login_Success": "0" and modifying the values to "2" and "1" respectively, an attacker can bypass authentication and gain full, privileged access to restricted pages of the web management interface
I think that literally dropped my jaw a little bit. Just...how the **** does this kind of stuff still come out of giant tech hardware companies in 2015?? And of course there's no updated firmware out yet (CERT released this on Aug 31). Well....alright. Moving along.
At least one other vulnerability is also involved with my question/s:
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5990
Belkin N600 routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in default configurations lacking password protection, an attacker can establish an active session as part of an attack and does not require a victim to be logged in.
One more bit of info: The "impact" section of the bulletin says: "A LAN-based attacker can bypass authentication to take complete control of vulnerable devices."
So I suppose I have two questions to ask that I'm rather unsure about:
Can the authentication bypass method above be combined with a CSFR attack using the CSFR weakness above to allow a remote attacker to compromise a router (assume that a strong password has been set, and all normal remote administration capabilities are disabled)?
Something I probably should know the answer to myself, but don't because my knowledge of the router firmware scene could use improvement: How likely is it that other router models in Belkin's dual-band consumer router series might have similar or even the same vulnerabilities?
Oh, and bonus question for the ambitious: If the answer to Q1 is "yes" is there any hardening at all a user can do, either on the router or even on user PCs that an attacker would need to use to "bounce" the CSFR attack to the router, that might be fruitful here? (CERT didn't have any really useful guidance on workarounds.)
