Vulnerability Note VU#350135

Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

Original Release date: 07 Jun 2017 | Last revised: 24 Jul 2017

Overview

WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device.

Description

CWE-306: Missing Authentication for Critical Function - CVE-2017-3216

Several WiMAX routers making use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator password on the device.

By sending a crafted POST request to commit2.cgi, an unauthenticated, remote attacker may reset the administrator password by sending a new password in the POST ADMIN_PASSWD variable.

The reporter has identified the following model routers as being impacted; other models and firmware versions may also be impacted. The reporter notes that some devices have remote administration enabled by default, allowing an internet-based attacker to attempt this exploit.

GreenPacket OX350 (Version: ?)
GreenPacket OX-350 (Version: ?)
Huawei BM2022 (Version: v2.10.14)
Huawei HES-309M (Version: ?)
Huawei HES-319M (Version: ?)
Huawei HES-319M2W (Version: ?)
Huawei HES-339M (Version: ?)
MADA Soho Wireless Router (Version: v2.10.13)
ZTE OX-330P (Version: ?)
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
ZyXEL MAX318M (Version: ?)
ZyXEL MAX338M (Version: ?)

The MediaTek SDK for device firmware may be customized by downstream vendors. According to MediaTek, the MediaTek SDK does not contain the vulnerable files and so the vulnerability was introduced downstream from the SDK. It is currently unclear at what point in the supply chain this vulnerability was introduced.

For more information, please see the researcher's blog post.

Impact

A remote, unauthenticated attacker may gain administrator access to the device after changing the administrator password on the device with a crafted POST request.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Consider the following workarounds instead.

Restrict network access

Restrict network access to the the router web interface to only trusted clients.

Disable WAN device management


Restrict network access to the router web interface from external connections.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Huawei TechnologiesAffected31 May 201708 Jun 2017
ZTE CorporationAffected31 May 201724 Jul 2017
ZyXELAffected24 Apr 201713 Jun 2017
MediaTekNot Affected19 Apr 201707 Jun 2017
Green PacketUnknown31 May 201731 May 2017
MitraStarUnknown24 Apr 201724 Apr 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.0 E:POC/RL:U/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Stefan Viehböck, SEC Consult Vulnerability Lab, for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2017-3216
  • Date Public: 07 Jun 2017
  • Date First Published: 07 Jun 2017
  • Date Last Updated: 24 Jul 2017
  • Document Revision: 55

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.