search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

Vulnerability Note VU#350135

Original Release Date: 2017-06-07 | Last Revised: 2017-07-24

Overview

WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device.

Description

CWE-306: Missing Authentication for Critical Function - CVE-2017-3216

Several WiMAX routers making use of a custom httpd plugin for libmtk (the MediaTek SDK library) are vulnerable to an authentication bypass that allows a remote, unauthenticated attacker to change the administrator password on the device.

By sending a crafted POST request to commit2.cgi, an unauthenticated, remote attacker may reset the administrator password by sending a new password in the POST ADMIN_PASSWD variable.

The reporter has identified the following model routers as being impacted; other models and firmware versions may also be impacted. The reporter notes that some devices have remote administration enabled by default, allowing an internet-based attacker to attempt this exploit.

GreenPacket OX350 (Version: ?)
GreenPacket OX-350 (Version: ?)
Huawei BM2022 (Version: v2.10.14)
Huawei HES-309M (Version: ?)
Huawei HES-319M (Version: ?)
Huawei HES-319M2W (Version: ?)
Huawei HES-339M (Version: ?)
MADA Soho Wireless Router (Version: v2.10.13)
ZTE OX-330P (Version: ?)
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
ZyXEL MAX318M (Version: ?)
ZyXEL MAX338M (Version: ?)

The MediaTek SDK for device firmware may be customized by downstream vendors. According to MediaTek, the MediaTek SDK does not contain the vulnerable files and so the vulnerability was introduced downstream from the SDK. It is currently unclear at what point in the supply chain this vulnerability was introduced.

For more information, please see the researcher's blog post.

Impact

A remote, unauthenticated attacker may gain administrator access to the device after changing the administrator password on the device with a crafted POST request.

Solution

The CERT/CC is currently unaware of a practical solution to this problem. Consider the following workarounds instead.

Restrict network access

Restrict network access to the the router web interface to only trusted clients.

Disable WAN device management


Restrict network access to the router web interface from external connections.

Vendor Information

350135
Expand all

Huawei Technologies

Notified:  May 31, 2017 Updated:  June 08, 2017

Statement Date:   June 01, 2017

Status

  Affected

Vendor Statement

Based on the investigation, we confirmed that the products mentioned(Huawei
BM2022,Huawei HES-309M ,Huawei HES-319M ,Huawei HES-319M2W ,Huawei HES-339M)
in the report have reached End of Service (EOS) on June 30, 2015,.Huawei has
established a lifecycle management system and clarifies the product
lifecycle strategy and product termination strategy, implementing lifecycle
management in accordance with industry practices.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.huawei.com/en/psirt/security-notices/huawei-sn-20170608-01-wimax-en

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZTE Corporation

Notified:  May 31, 2017 Updated:  July 24, 2017

Statement Date:   July 21, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The OX330P is end-of-service (EOS) and is not expected to receive updates. Affected customers should consider the security risks and take appropriate action.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  April 24, 2017 Updated:  June 13, 2017

Statement Date:   June 09, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

ZyXEL has released a security advisory about this issue. Affected products are expected to have updates in the June or July 2017 timeframe.

Vendor References

http://www.zyxel.com/support/announcement_vulnerability_cve_2017_3216.shtml

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MediaTek

Notified:  April 19, 2017 Updated:  June 07, 2017

Statement Date:   May 15, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

MediaTek has responded that the vulnerable cgi script is not provided in SDK releases, but the source code for the httpd plugin is provided to customers for customization. MediaTek therefore believes the vulnerability was introduced by customer(s).

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Green Packet

Notified:  May 31, 2017 Updated:  May 31, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MitraStar

Notified:  April 24, 2017 Updated:  April 24, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.0 E:POC/RL:U/RC:C
Environmental 6.7 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Stefan Viehböck, SEC Consult Vulnerability Lab, for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2017-3216
Date Public: 2017-06-07
Date First Published: 2017-06-07
Date Last Updated: 2017-07-24 16:14 UTC
Document Revision: 55

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.