Detection Guidance

This vulnerability can be detected by monitoring network traffic for unauthorized GET requests to the /goform/AdvSetDns endpoint that include crafted admin cookies. Such requests indicate attempts to modify DNS settings without proper authentication.

You can use network traffic analysis tools like tcpdump or Wireshark to capture and filter HTTP GET requests targeting the /goform/AdvSetDns path.

• Example tcpdump command to capture suspicious HTTP GET requests: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /goform/AdvSetDns'
• Use web server logs or proxy logs to search for GET requests to /goform/AdvSetDns with unusual or unauthorized cookie values.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the Tenda FH303/A300 firmware version V5.07.68_EN. It is a session weakness that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation.

Attackers can send specially crafted GET requests to the /goform/AdvSetDns endpoint using a forged admin cookie, which enables them to change the DNS servers configured on the device.

By doing so, attackers can redirect user traffic to malicious sites.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to redirect your internet traffic to malicious websites without your knowledge.

Such redirection can lead to phishing attacks, malware infections, data theft, or other malicious activities.

Since the attack requires no authentication and can be performed remotely, it poses a high risk to the security and privacy of users relying on the affected device.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the /goform/AdvSetDns endpoint to trusted users only and implementing proper cookie validation to prevent unauthorized modification of DNS settings.

If possible, update the firmware of the Tenda FH303/A300 device to a version that addresses this session weakness vulnerability.

As a temporary measure, monitor and block suspicious GET requests to the vulnerable endpoint at the network perimeter using firewall or intrusion detection/prevention systems.

Useful 0 Not Useful 0

Executive Summary

CVE-2018-25318 is a critical vulnerability in Tenda FH303/A300 routers running firmware version 5.07.68_EN. It involves a session weakness caused by insufficient cookie validation, which allows unauthenticated attackers to bypass authentication.

Attackers can send specially crafted GET requests to the /goform/AdvSetDns endpoint with a fake admin cookie to modify the router's DNS settings remotely.

This manipulation enables attackers to redirect user traffic to malicious DNS servers, potentially leading users to harmful websites.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to modify DNS settings and redirect user traffic to malicious sites, potentially intercepting or altering network communications.

Such unauthorized redirection and interception of network traffic can lead to exposure or compromise of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, the vulnerability poses a risk to maintaining confidentiality and integrity of data, which are core compliance requirements in these regulations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts on users of affected Tenda FH303/A300 routers.

• Attackers can redirect your internet traffic to malicious sites, exposing you to phishing, malware, or other cyber threats.
• It can replace legitimate advertisements with malicious ones.
• It can block access to software updates, preventing important security patches.
• The vulnerability can facilitate further malware infections by intercepting or altering network communications.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for suspicious GET requests to the /goform/AdvSetDns endpoint on Tenda FH303/A300 routers running firmware version 5.07.68_EN.

Specifically, look for HTTP GET requests containing a crafted or fake admin cookie attempting to modify DNS settings.

Commands to detect such activity could include using network packet capture tools like tcpdump or Wireshark to filter HTTP requests to the router's IP address and the specific endpoint.

• tcpdump -i <interface> -A 'tcp port 80 and host <router_ip> and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/goform/AdvSetDns'
• Use Wireshark to filter HTTP GET requests to /goform/AdvSetDns and inspect cookies for suspicious or forged admin cookie values.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the router's web interface from untrusted networks to prevent remote exploitation.

Disable remote management if enabled, so that only local network users can access the router's administration panel.

Monitor and block suspicious HTTP requests attempting to access /goform/AdvSetDns with forged cookies.

If possible, update the router firmware to a version that addresses this vulnerability or contact the vendor for a patch.

Useful 0 Not Useful 0