Can you explain this vulnerability to me?

This vulnerability exists in Tenda W3002R/A302/W309R wireless routers version V5.07.64_en. It is a cookie session weakness that allows unauthenticated attackers to modify DNS settings. The issue arises from insufficient session validation, enabling attackers to send specially crafted GET requests to the /goform/AdvSetDns endpoint with a manipulated admin language cookie. This lets them change the primary and secondary DNS servers configured on the router.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can have a severe impact as attackers can redirect your internet traffic by changing the DNS servers to malicious ones. This can lead to interception of sensitive data, phishing attacks, and exposure to malicious websites without your knowledge. Since the attack requires no authentication, it can be exploited remotely and easily, potentially compromising the confidentiality, integrity, and availability of your network communications.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring network traffic for unauthorized GET requests to the /goform/AdvSetDns endpoint on Tenda W3002R/A302/W309R wireless routers running version V5.07.64_en.

Specifically, look for GET requests containing a crafted admin language cookie attempting to modify DNS settings.

Commands to detect such activity might include using network packet capture tools like tcpdump or Wireshark to filter HTTP GET requests to the vulnerable endpoint.

• tcpdump -i <interface> 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Use Wireshark to filter HTTP requests with the filter: http.request.method == "GET" and http.request.uri contains "/goform/AdvSetDns"

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

The vulnerability affects Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en. It is a cookie session weakness that allows unauthenticated attackers to bypass authentication by exploiting insufficient session validation.

Attackers can send specially crafted GET requests to the /goform/AdvSetDns endpoint with a manipulated admin language cookie. This enables them to change the router's primary and secondary DNS server settings.

By changing DNS settings, attackers can redirect user traffic to malicious DNS servers, potentially intercepting and manipulating network traffic without any authentication.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows attackers to redirect all DNS queries from the affected routers to malicious DNS servers.

• Users' internet traffic can be intercepted and manipulated.
• Attackers can perform phishing attacks by redirecting users to fake websites.
• There is a risk of ad replacement and exposure to malware infections.
• Since no authentication is required, the attack can be executed remotely and easily.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the router's DNS settings have been altered without authorization or by monitoring for suspicious GET requests to the /goform/AdvSetDns endpoint containing manipulated admin language cookies.

A practical approach is to capture and analyze HTTP traffic to the router's web interface for unusual requests targeting /goform/AdvSetDns.

For example, using curl or similar tools, you can attempt to replicate the exploit request to see if the router accepts DNS changes without authentication.

• curl -v --cookie "admin_lang=manipulated_value" "http://<router_ip>/goform/AdvSetDns?primaryDns=8.8.8.8&secondaryDns=8.8.4.4"
• Monitor network traffic with tools like Wireshark or tcpdump to detect GET requests to /goform/AdvSetDns with suspicious cookies.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the router's web interface to trusted networks only and monitoring for unauthorized DNS changes.

If possible, update the router firmware to a version that patches this vulnerability.

As a temporary measure, reset the router to factory settings and change default credentials to prevent unauthorized access.

Additionally, consider blocking or filtering HTTP requests to the /goform/AdvSetDns endpoint at the network perimeter to prevent exploitation.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthenticated attackers to modify DNS settings on affected Tenda routers, redirecting user traffic to malicious DNS servers. Such unauthorized redirection can lead to interception and manipulation of sensitive data transmitted over the network.

Because attackers can intercept and manipulate network traffic without authentication, this poses a significant risk to the confidentiality and integrity of user data. This risk can impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and tampering.

Specifically, the vulnerability could lead to data breaches or exposure of personal health information or other regulated data, thereby violating the security requirements mandated by these standards.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the router's administrative interface to trusted networks only.

Additionally, monitor and block unauthorized GET requests to the /goform/AdvSetDns endpoint.

If possible, update the router firmware to a version that addresses this cookie session weakness vulnerability.

As a temporary measure, consider resetting DNS settings to known safe values and changing any default credentials.

Useful 0 Not Useful 0