Analecta Cyber Company Blog: Major flaws identified in Belkin N600 routers

2015-09-04

Major flaws identified in Belkin N600 routers



Password protected WiFi may not be enough security - researchers at the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University who study Internet security vulnerabilities have issued a warning to the users of these routers. The researchers noted that a number of Belkin router models (specifically the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17 plus possibly earlier versions) are among those affected by the security vulnerabilities.


Vulnerabilities

CERT/CC listed multiple security issues for the Belkin routers. They are:
CWE-330: Use of Insufficiently Random Values - CVE-2015-5987
CWE-319: Cleartext Transmission of Sensitive Information
CWE-255: Credentials Management - CVE-2015-5988
CWE-603: Use of Client-Side Authentication - CVE-2015-5989
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2015-5990

What could an attacker do?

Because of these vulnerabilities, the routers could allow an attacker to carry out Domain Name System (DNS) spoofing or DNS cache poisoning. This is a computer hack where data is introduced into a DNS resolver's cache, causing the name server to return an incorrect IP address and diverting traffic to another computer or to the attacker's computer.

To perform this type of cache poisoning attack, the attacker takes advantage of the flaws in the DNS software. The server could end up caching the incorrect entries locally and relaying them to the attacker making the same request. This spoofing also allows the attacker to direct users away from a website to another site they select. A user whose computer has referenced the poisoned DNS server is thus tricked into accepting content coming from a bogus server, potentially downloading malicious content such as worms or computer viruses.

Through these vulnerabilities, an attacker can also intercept credentials sent as cleartext. The company, which uses plaintext HTTP to send information to the N600 routers, could enable an attacker in a man-in-the-middle position to block firmware updates or send arbitrary files to the routers.

Other issues

Moreover, Belkin N600 routers by default don’t have a password set for the web management interface. Therefore, a local area network (LAN) attacker could get privileged access to the router’s interface and use the weakness to do cross-site request forgery (CSRF). Belkin routers contain a global cross-site request forgery bug. With the default configurations set to no password protection, an attacker can perform actions as part of an attack that does not require the victim to have an active session.

Common sense practices

Currently, CERT/CC is unaware of a practical solution to this problem or a patch developed by Belkin. So until these vulnerabilities are addressed, users are advised to do the following:
Only allow trusted hosts to connect to the LAN
Implement strong passwords for WiFi and the web management interface
LAN hosts should not browse the Internet while there is an active session on the web management interface in a browser tab



Subscribe to our mailing list

* indicates required
Email Format