CERT Warns of Slew of Bugs in Belkin N600 Routers

Posted on

The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers.

The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren’t any practical workarounds for them. 

CERT Warns of Slew of Bugs in Belkin N600 Routers
CERT Warns of Slew of Bugs in Belkin N600 Routers

Among the bugs in the router is a problem caused by the use of insufficiently random values to calculate transaction IDs. The issue could allow an attacker to guess the next TXID and spoof a response from a DNS server.

“DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker’s control,” the CERT/CC advisory says.

Belkin also uses plaintext HTTP to sending firmware update information to the N600 routers, a weakness that could enable an attacker in a man-in-the-middle position to block firmware updates or send arbitrary files to the routers. The routers also don’t have a password set for the web management interface by default, so an attacker on the network could get privileged access to the router’s interface.

There is also a global cross-site request forgery bug in the N600.

“Belkin N600 routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in default configurations lacking password protection, an attacker can establish an active session as part of an attack and does not require a victim to be logged in,” the advisory says.

Source:https://threatpost.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s