SOHOpeless: Belkin router redirection zero-day
DNS response fondling confounds security
Security bod Joel Land has reported zero-day holes in a popular model of Belkin router allowing attackers to yank cleartext credentials, spoof DNS responses, and pop admin interfaces.
The Belkin N600 DB Wireless Dual Band N+ box released in 2012 and selling for around AUD$150 contains five vulnerabilities from slack randomness (CVE-2015-5987) to cleartext violations and cross-site request forgery (CVE-2015-5990).
Land of the US CERT/CC says remote attackers could redirect Belkin owners to malicious sites where all manner of hacking can occur.
"A remote, unauthenticated attacker may be able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request," Land says in an advisory.
"DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker's control.
"A LAN-based attacker can bypass authentication to take complete control of vulnerable devices."
Belkin was notified of the vulnerabilities in its latest firmware and likely those earlier but has not released a fix. There is also no mitigations nor practical fixes "as general users are unlikely to be able to monitor traffic entering the router's WAN port".
The cross-site request forgery attack can be used to exploit the absence of a password for the web management portal accessible over the LAN.
Cleartext firmware updating means jerk friends attackers residing on the network or otherwise in a man-in-the-middle position can inject net nasties into the traffic stream.
LAN hosts should not surf the web while the web management portal is open and strong passwords should be used where possible to reduce the chance of cross-site forgery attacks, Land says. ®