Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin
Vulnerability Note VU#350135
Original Release Date: 2017-06-07 | Last Revised: 2017-07-24
WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device.
CWE-306: Missing Authentication for Critical Function - CVE-2017-3216
Several WiMAX routers making use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator password on the device.
By sending a crafted POST request to commit2.cgi, an unauthenticated, remote attacker may reset the administrator password by sending a new password in the POST ADMIN_PASSWD variable.
The reporter has identified the following model routers as being impacted; other models and firmware versions may also be impacted. The reporter notes that some devices have remote administration enabled by default, allowing an internet-based attacker to attempt this exploit.
The MediaTek SDK for device firmware may be customized by downstream vendors. According to MediaTek, the MediaTek SDK does not contain the vulnerable files and so the vulnerability was introduced downstream from the SDK. It is currently unclear at what point in the supply chain this vulnerability was introduced.
For more information, please see the researcher's blog post.
A remote, unauthenticated attacker may gain administrator access to the device after changing the administrator password on the device with a crafted POST request.
The CERT/CC is currently unaware of a practical solution to this problem. Consider the following workarounds instead.
Restrict network access
Restrict network access to the the router web interface to only trusted clients. Disable WAN device management
Restrict network access to the router web interface from external connections.
Based on the investigation, we confirmed that the products mentioned(Huawei BM2022,Huawei HES-309M ,Huawei HES-319M ,Huawei HES-319M2W ,Huawei HES-339M) in the report have reached End of Service (EOS) on June 30, 2015,.Huawei has established a lifecycle management system and clarifies the product lifecycle strategy and product termination strategy, implementing lifecycle management in accordance with industry practices.
We are not aware of further vendor information regarding this vulnerability.
No statement is currently available from the vendor regarding this vulnerability.
MediaTek has responded that the vulnerable cgi script is not provided in SDK releases, but the source code for the httpd plugin is provided to customers for customization. MediaTek therefore believes the vulnerability was introduced by customer(s).