In January 2024, while conducting routine security assessments, our team stumbled upon a critical vulnerability in the Tenda N300 F3 Router. Recognizing the potential impact on user security, we promptly reached out to Tenda to report our findings and provide detailed documentation of the issue.
The report outlined how the vulnerability allowed for unauthorized access due to a password policy bypass flaw. With each passing day, our concern grew as we awaited a response from Tenda, eager to see action taken to address the issue and protect users from potential exploitation.
Timeline:
- Initial Contact: 22/01/2024 – Report submitted to Tenda, outlining the vulnerability.
- Vendor Revert: 23/01/2024 – Acknowledgment received from Tenda.
- Follow-up Contact 2: 31/01/2024 – First follow-up communication with Tenda.
- Follow-up Contact 3: 12/02/2024 – Second follow-up communication with Tenda.
- Follow-up Contact 4: 19/02/2024 – Third follow-up communication with Tenda.
- Follow-up Contact 5: 28/02/2024 – Continued follow-up communication with Tenda.
- Follow-up Contact 6: 01/04/2024 – Persistent efforts to engage with Tenda.
- Follow-up Contact 7: 22/04/2024 – Final attempts to contact Tenda before considering public disclosure.
Vulnerability Overview
The Tenda N300 F3 router is facing a critical vulnerability related to a password policy bypass. This flaw enables users to set weak passwords that do not meet the necessary security standards, potentially compromising the integrity of the network. Similar to leaving a door ajar, this vulnerability opens the possibility of unauthorized access to the router and its connected devices. Urgent action is needed to address this issue and reinforce network security measures.
Impact
The vulnerability in the Tenda N300 F3 router due to insecure passwords poses a serious risk, allowing unauthorized access and potential network manipulation. This flaw opens avenues for malicious actors to breach networks, potentially leading to data exposure and manipulation. Immediate action is imperative to mitigate this risk, including implementing strong, unique passwords and promptly applying firmware updates to address underlying security flaws.
Proactive monitoring and security measures are essential to detect and respond to unauthorized access attempts, safeguarding against potential threats and mitigating the impact of this vulnerability on network security.
Vulnerability Description
The vulnerability in the Tenda N300 F3 router allows users to bypass its password policy enforcement mechanism, creating passwords that don’t meet security standards. This flaw weakens router security, enabling unauthorized access to its administrative interface or network. Attackers could exploit this to intercept data, manipulate configurations, or launch further attacks. To mitigate risks, immediate action is needed to enforce strong password policies, apply firmware updates, and enhance network monitoring.
Proof-of-Concept
Steps to Recreate
- Begin by powering on the router and establishing a connection to a computer using an Ethernet cable. Once the connection is established, access the router’s admin console by entering the IP address 192.168.0.1 into a web browser. From there, proceed to navigate to the Administration panel.
2. When accessing the Administration panel, if attempting to set a single-digit password, an error message appears indicating that passwords must be between 5 and 32 characters in length. This restriction implies that passwords cannot be shorter than 5 characters or longer than 32 characters.
3. Conversely, when attempting to update the password to “Password1”, no error message appears.
4. Now, in Burp Suite, set intercept to on.
5. Press the “OK” button located on the Administration page to proceed with the request.
6. In the request, it’s evident that the “newPwd” field contains the new password, encoded in base64. You can decode it using the decoder in Burp Suite.
7. Encode the value “1” using base64 encoding.
8. Substitute the current value in the “newPwd” field with this newly encoded value, then proceed by clicking “Forward.”
9. Upon attempting to log in to the admin console at 192.168.0.1, successful access is achieved. This indicates that the password policy, which restricts the setting of passwords to a minimum of 5 characters, has been bypassed by setting a password with only 1 character.
TL; DR
In conclusion, the discovery of the Tenda N300 F3 Router Password Policy Bypass Vulnerability underscores the critical importance of robust security measures in network devices. This vulnerability exposes users to potential unauthorized access, putting their sensitive information at risk. Tenda must take urgent action to address this flaw promptly through firmware updates or other mitigation strategies. Additionally, users should remain vigilant by regularly updating their router’s firmware and implementing strong, unique passwords to enhance their network security posture.
Redfox Security is a diverse network of expert security consultants with a global mindset and a collaborative culture. If you are looking to improve your organization’s security posture, contact us today to discuss your security testing needs. Our team of security professionals can help you identify vulnerabilities and weaknesses in your systems and provide recommendations to remediate them.
“Join us on our journey of growth and development by signing up for our comprehensive courses.”