There's a critical bug in this router: but the vendor doesn't want to know.
Plus ça change plus c'est la même chose?
When it comes software security bugs, a quick count by The Stack reveals that 19,249 vulnerabilities and exposures (CVEs) were allocated in 2020 – over 52 every single day.
Plenty of these were unlikely to be exploited in the wild, challenging to abuse, or generally irrelevant for other reasons. But many others were troubling, critical; even wormable.
July’s brace of CVSS 10 bugs – CVE-2020-5902 and CVE-2020-1350 – stands out. (Remember F5 Networks BIG-IP bug, or the RCE vulnerability on all Windows Servers using the DNS server role that got the NSA worried?)
That’s before the SolarWinds Orion incident put the cherry on 2020’s cake, with governments and blue chips hacked via a supply chain compromise in the most far-reaching (certainly the most public) cyber-espionage incident to date. (Two different sophisticated actors may have compromised SolarWinds security and the incident raises troubling questions about "shared liability", but that’s another story...)
$1b router firm's got a critical bug in its products
Are things likely to improve this year on the cybersecurity front? It seems implausible.
Less than a week in to 2021* a juior security researcher at a US cybersecurity company has identified a critical CVSS 9.6-rated bug (CVE-2020-35391) in a family of router products made by Chinese company Tenda – a switchgear, router and networking hardware company based in Shenzhen, with annual revenues of $1b+.
(Tenda claims to ship products to over 100 countries. It lists three UK resellers.)
Dear Tenda, answer your emails...
Michelle Bonilla, 27, is interning at Signal Hill Technologies: a Virginia-based security specialist that offers threat detection, incident response, architecture planning and project management services for a client base that includes federal intelligence and financial services clients.
The recent cybersecurity graduate was tasked with picking a product and testing its security by Signal Hill Tech's founder Steve Jones and Director of Innovation Thomas Moore.
After some hands-on work that started with a simple nmap scan she saw that it had two open TCP ports (80 and 1980) running on the GoAhead WebServer and Cisco Dp3828 respectively. A bit more probing and some custom Python code later and the intern identified a malformed HTTP request header processing vulnerability, that gave them full access to the router.
Michelle told The Stack: "This was a very different process to learning in the lab [as part of a cybersecurity degree], which is very step-by-step; very calculated. It was a great learning experience. We weren't sure what we'd find so it was exciting to get a full compromise."
Tenda did not respond to Signal Hill Tech's disclosure and has not responded to a request for comment from The Stack. The vulnerability is not limited to the N300 F3 model, she added.
As Michelle noted in a blog for Signal Hill Tech: "Security analyst Sanja Sarda at Independent Security Evaluators (ISE) [previously] tested the AC15 AC1900 Smart Dual-band Gigabit Wi-Fi Router and found a total of five vulnerabilities.
"These included insufficient request validation (CVE-2020–10986), insufficient data validation and sanitization (CVE-2020–10989), and a hardcoded telnet password (CVE-2020–10988). These vulnerabilities created a cross-site scripting (XSS) and cross-site request forgery risk, while two flaws (CVE-2020 10987 and (CVE-2020-TBA) opened the door to remote code execution and complete takeover”.
Michelle's detailed write-up is here.
The critical bug remains unpatched.
For what it is worth, The Stack believes the US should implement the recommendations of the Solarium Commission in its cross-party 2020 report to stop vendors (whether Chinese, American, or from elsewhere) shipping with such poor security out of the box.
This proposes a strategy of layered cyber-deterrence which includes 80 recommendations. Among them is that a "National Cybersecurity Certification and Labeling Authority should be established and empowered to publicly certify products that vendors have attested meet and comply with secure product development best practices and other cybersecurity standards identified by the authority.
The Commission adds: "Issued certifications should be publicly accessible and manufacturers should be encouraged to display certification marks on product packaging."
*We're tracking it as a 2021 bug as we use NIST's vulnerability database for our guide. The CVE sits in NIST's January 2021 CVE database. Signal Hill Tech initially disclosed the vuln to US-CERT on November 9, 2020, to Tenda on November 23 and published on December 31, 2020.