Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Router vulnerability. Show all posts
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
Router vulnerability
Cyber Security DDOS Vulnerability DrayTek routers firmware Forescout Research Labs Network Security Router vulnerability

DrayTek Patches 14 Vulnerabilities, Including Critical Buffer Overflow Flaws

 

DrayTek recently patched 14 vulnerabilities in 24 router models, including a critical buffer overflow flaw that could allow remote code execution (RCE) or denial of service (DoS). The vulnerabilities, identified by Forescout Research’s Vedere Labs and described in their “DRAY:BREAK” report, include two critical flaws, nine high-severity flaws, and three medium-severity issues. 

The most severe flaw, CVE-2024-41492, involves the “GetCGI()” function in the web user interface, allowing attackers to exploit query string parameters and execute RCE or DoS attacks. Another critical flaw, CVE-2024-41585, involves OS command injection via the “recvCmd” binary, which could lead to a virtual machine escape. Forescout’s analysis of exposed DrayTek devices revealed more than 700,000 connected devices vulnerable to similar flaws. Of these, nearly 38% remain susceptible to exploitation due to outdated firmware or years-old vulnerabilities. 

Notably, less than 3% of exposed devices have installed the latest firmware, with many still using version 3.8.9.2, which is over six years old. Furthermore, a significant portion of these devices, often used in business sectors such as healthcare and manufacturing, are vulnerable as they haven’t been updated to the latest firmware despite vendor recommendations. To mitigate the risk, organizations using DrayTek routers should immediately patch their devices with the latest firmware updates. Disabling remote access, enabling two-factor authentication, and implementing Access Control Lists (ACLs) are also vital measures to secure the devices. 

Furthermore, continuous monitoring using syslog logging for any unusual activity can help detect and mitigate potential threats. Forescout’s report emphasizes that outdated routers pose a serious threat, with about 63% of the exposed devices being end-of-sale or end-of-life (EoL) models. Such outdated devices are a prime target for attackers, as demonstrated by the addition of older DrayTek vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities catalog. 

Although no evidence currently exists of exploitation of these newly discovered vulnerabilities, the risk remains high, especially given the long-standing pattern of recurring flaws in DrayTek devices. The security of DrayTek routers hinges on timely updates and robust security measures. The newly patched vulnerabilities, while not yet exploited, demonstrate the importance of ongoing vigilance and proactive cybersecurity measures, especially in industries reliant on these devices for network access.
Read more »
Routers Threat
Cloud Credentials Cyber Security data security Data Theft Hijacking attacks Router vulnerability Routers Routers Threat

New Cuttlefish Malware Hijacks Router Connections, Cloud Data Stolen

 

In the ever-evolving landscape of cybersecurity threats, a new menace has emerged: Cuttlefish. This sophisticated malware targets enterprise-grade and small office/home office (SOHO) routers, posing a significant risk to both businesses and individual users alike. 

Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious. One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces. 

This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection. While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively. 

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres. The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload. 

What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean. Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.

Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation. Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats. 

This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.  

Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.
Read more »
Router vulnerability
Corporate Routers Data Breach Data Leak Data Sale Network Loopholes Router vulnerability

Data on Resold Corporate Routers can be Used by Hackers to Access Networks

 

Enterprise-level network equipment available on the black market conceals important information that hackers could use to infiltrate company networks or steal consumer data. 

Researchers examined a number of used corporate-grade routers and discovered that the majority of them had been incorrectly decommissioned and then sold online. 

Selling core routers 

Eighteen secondhand core routers were purchased by researchers at cybersecurity company ESET, who discovered that on more than half of those that operated as intended, it was still possible to obtain the full configuration data. 

All other network devices are connected via core routers, which act as the foundation of a big network. They are built to forward IP packets at the greatest rates and handle a variety of data transmission interfaces. 

When the ESET research team initially purchased a few secondhand routers to create a test environment, they discovered that they had not been completely wiped and still included network configuration data as well as information that might be used to identify the former owners.

Four Cisco (ASA 5500) devices, three Fortinet (Fortigate series) devices, and eleven Juniper Networks (SRX Series Services Gateway) devices were among the hardware items purchased. 

Cameron Camp and Tony Anscombe claim in a report from earlier this week that two devices were mirror images of one other and were treated as one in the evaluation results while one device was dead on arrival and excluded from the tests. 

Only two of the 16 remaining devices had been toughened, making some of the data more difficult to access. Only five of the remaining 16 devices had been properly deleted. 

The majority of them, however, allowed access to the whole configuration data, which contains a wealth of information about the owner, how they configured the network, and the relationships between various systems. 

The administrator of corporate network devices must issue a few commands to safely wipe the settings and reset the device. In the absence of this, routers can be started in recovery mode, which enables configuration verification. 

Network loopholes 

The researchers claim that a few of the routers stored user data, information allowing other parties to connect to the network, and even "credentials for connecting to other networks as a trusted party." 

Additionally, the router-to-router authentication keys and hashes were present on eight out of the nine routers that provided the whole configuration data. Complete maps of private applications stored locally or online were included in the list of business secrets. Examples include SQL, Spiceworks, Salesforce, SharePoint, VMware Horizon, and Microsoft Exchange. 

“With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens” - ESET researchers explained. 

According to the study, such in-depth insider knowledge is normally only available to "highly credentialed personnel" like network administrators and their managers. With this kind of knowledge at hand, an attacker might simply create an undetectable assault vector that would take them far inside the network. 

"With this level of detail, impersonating network or internal hosts would be far easier for an attacker, especially given that the devices frequently contain VPN credentials or other easily cracked authentication tokens," the researchers added. 

Numerous of them had been in managed IT provider environments, which run the networks of big businesses, according to information found in the routers. 

One device even belonged to a managed security services provider (MSSP) that managed networks for hundreds of clients across a variety of industries (such as manufacturing, banking, healthcare, and education). 

The researchers then discuss the significance of thoroughly cleaning network devices before getting rid of them in light of their findings. Companies should have policies in place for the secure disposal of their digital equipment. 

The researchers also caution against always employing a third-party service for this task. They learned that the business had utilised such a service after informing the owner of a router of their discoveries. 

The advice is to wipe the device free of any potentially sensitive data and reset it to factory default settings in accordance with the manufacturer's instructions.
Read more »
Vulnerability Red Balloon
Cisco Router vulnerability Vulnerability Red Balloon

Cisco devices has critical vulnerabilities





Security researchers have found many serious vulnerabilities inside dozens of Cisco devices.

A cybersecurity company Red Baron claims that the Cisco 1001-X comes with two major flaws. One is a software flaw inside Cisco’s router’s operating system, which would allow hackers root access. The second flaw is much more dangerous as it allows potential malicious actors to bypass the router’s security feature, Trust Anchor. 

The second flaw “means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything,” Ang Cui, the founder, and CEO of Red Balloon explained.

In the meantime, the firm released a fix for the first flaw, but are still working on the second one. “The Trust Anchor module is not directly involved in the work demonstrated by Red Balloon,” a spokesperson told Wired.

It is believed that the vulnerability could become serious if not handled carefully and on time. 


Read more »
Vulnerability
Router vulnerability Vulnerability

Vulnerability in Realtek SDK leaves D-Link and TRENDnet routers vulnerable to Hackers

D-Link and TRENDnet's routers are vulnerable to remote code execution attacks due to a flaw in a component of the Realtek, Software Development Kit (SDK).

A content developer at HP Enterprise Security discovered the flaw.

Ricky Lawshae first informed about the flaw to HP’s Zero-Day Initiative (ZDI) in August 2014. Then in October, he reported for the last time about his findings to them.

However, the Realtek did not come up with a plan to solve the problem. As a result, the routers flaw has been disclosed.

The vulnerability (CVE-2014-8361) allows a remote, unauthenticated attacker to execute arbitrary code on affected systems with root privileges. ZDI has assigned the vulnerability a CVSS score of 10.

The security hole affects the Realtek SDK used for RTL81xx chipsets.

Although, the flaw on D-Link and TRENDnet routers has been discovered, it is not clear that how many small office and home (SOHO) routers are affected.

The researcher however said that those devices using the minigd binary from the Realtek SDK are likely to be vulnerable.

“Given the stated purpose of Realtek SDK, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines,” ZDI officials wrote in an advisory published on Friday.

“Only the clients and servers that have a legitimate procedural relationship with products using Realtek SDK service should be permitted to communicate with it.”

Realtek still has not commented on the findings.

D-Link has released firmware updates that addresses the security vulnerabilities in affected D-Link devices.

It is said that the flaw, which was found on those wireless routers, are not unique or rare.

Earlier, researchers reported about the several vulnerabilities related to the ncc/ncc2 service used by devices from the vendors. Both D-Link and Trendnet released firmware updates to address the issues.

Last month, a researcher complained that D-Link had failed to properly patch those vulnerabilities related to the Home Network Administration Protocol (HNAP).
Read more »
Vulnerability
Router vulnerability Vulnerability

Cisco Small Business Routers can be remotely hacked


A security flaw in the Cisco wireless VPN router and cisco wireless VPN firewall allows an attacker to gain remote access to the admin panel of the web management interface of the affected device.

According to the security advisory, the vulnerability is due to the improper handling of authentication requests by web framework.

"An attacker could exploit this vulnerability by intercepting, modifying and resubmitting an authentication request. " the security advisory reads.

Common Vulnerability Scoring System (CVSS) rated this vulnerability as highly critical vulnerability - base score is 10.

Cisco has issued a software update for all of the affected devices which will address this vulnerability.  There are currently no known workarounds that mitigate this vulnerability.

Cisco says the vulnerability is not being publicly exploited by any attackers.  It was reported by a security researcher Gustavo Javier Speranza.
Read more »
Subscribe to: Posts (Atom)