[lacnog] Over a Million Dasan Routers Vulnerable to Remote Hacking

Lucimara Desiderá lucimara en cert.br
Vie Mayo 4 13:56:38 BRT 2018


Over a Million Dasan Routers Vulnerable to Remote Hacking
By Eduard Kovacs on May 02, 2018

Researchers have disclosed the details of two unpatched vulnerabilities
that expose more than one million home routers made by South Korea-based
Dasan Networks to remote hacker attacks.

In a blog post published on Monday, vpnMentor revealed that many
Gigabit-capable Passive Optical Network (GPON) routers, which are used
to provide fiber-optic Internet, are affected by critical
vulnerabilities. The company told SecurityWeek that the impacted devices
are made by Dasan Networks.

One of the flaws, tracked as CVE-2018-10561, allows a remote attacker to
bypass a router’s authentication mechanism simply by appending the
string “?images/” to a URL in the device’s web interface.

The second vulnerability, identified as CVE-2018-10562, allows an
authenticated attacker to inject arbitrary commands.

By combining the two security holes, a remote and unauthenticated
attacker can take complete control of a vulnerable device and possibly
the entire network, vpnMentor said. The company has published a video
showing how the attack works:

A Shodan search shows that there are more than one million GPON home
routers exposed to the Internet, a majority located in Mexico (480,000),
Kazakhstan (390,000), and Vietnam (145,000).

“Depending on what the attacker wants to achieve, he can be spying on
the user and any connected device (TV, phones, PC and even speakers like
Amazon Echo). Also he can inject malware into the browser which means
even when you leave your home network your device would be hacked now,”
Ariel Hochstadt, co-founder of vpnMentor, told SecurityWeek. “If the
hacker is resourceful (government etc) he can enable advanced spear
phishing attacks, and even route criminal activities through exploited
routers (Imagine the FBI knocks on your door telling you they saw
someone in your house using your IP address and selling stolen credit
card numbers on the dark web).”

vpnMentor said it did try to report its findings to Dasan before making
any information public, but it did not receive a response. Dasan
representatives, specifically a PR agency, reached out to vpnMentor on
LinkedIn after its blog post was published.

While in some cases Dasan has shown interest in working with researchers
who discovered vulnerabilities in its products, there are some
advisories online describing potentially critical issues that the vendor
has apparently ignored.

Malicious actors have been known to target Dasan devices. Researchers
reported recently that the Satori botnet had ensnared thousands of Dasan
routers by exploiting a remote code execution vulnerability. The flaw in
question was disclosed in December 2017 by Beyond Security, which
claimed the vendor had ignored repeated attempts to report the issue.

This is not the first time vpnMentor reports finding vulnerabilities in
network devices. Last month, the company disclosed the details of an
unpatched command injection vulnerability that can be exploited to take
control of network-attached storage (NAS) devices from LG.

Más información sobre la lista de distribución LACNOG