External risk intelligence

Tenda routers let attackers redirect users to malicious sites

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2018-25316

Tenda routers have a critical flaw allowing attackers to hijack your internet traffic by changing DNS settings without needing a password. This could send you to fake websites.

4Halo Surface Signal

Tenda W308r Firmware

5.07.48

External exposure likelihood

Halo Surface Signal score for CVE-2018-25316

The vulnerability affects the management interface of a network router, which operates as an internet-facing gateway. These devices are frequently deployed with remote management features enabled or misconfigured, making the specific administration endpoint accessible from the public internet, which aligns with common exposure patterns for such home networking equipment.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A weakness in Tenda W308R routers allows unauthenticated attackers to change DNS settings. This could redirect users to malicious websites, compromising their internet traffic.

  • Attackers can modify DNS settings.
  • Redirects users to malicious sites.
  • Requires no authentication to exploit.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can gain control of a Tenda W308R v2 router by exploiting a session validation flaw in its cookie handling. By sending a crafted GET request with a manipulated admin language cookie to the specific endpoint, an attacker can alter the router's DNS settings. This allows them to redirect all network traffic through malicious DNS servers, facilitating man-in-the-middle attacks.

  • Attackers exploit router's admin interface.
  • Requires sending crafted HTTP requests.
  • Targets insufficient session validation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a clear path for attackers to hijack user traffic by manipulating DNS settings. The ease of exploitation, with unauthenticated access via crafted requests, makes it a potentially attractive target for widespread disruption or credential harvesting. The core issue is insufficient session validation on a critical administrative function.

  • Publicly available exploit code exists.
  • The vulnerability affects a router's management interface.
  • Exploitation allows for DNS hijacking.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Tenda W308R v2 firmware version 5.07.48 to address the cookie session weakness that allows unauthenticated DNS hijacking. If immediate patching is not feasible, isolate affected devices from the network to prevent traffic redirection and monitor for any unauthorized DNS requests.

  • Apply firmware update 5.07.48 or later.
  • Block access to the `goform/AdvSetDns` endpoint.
  • Monitor network traffic for suspicious DNS queries.

Frequently asked questions

What is the Tenda W308R router and its primary function in a home or small office network environment?

The Tenda W308R is a wireless router designed to provide internet access and facilitate network connectivity for homes and small offices. Its main purpose is to enable multiple devices to connect to the internet wirelessly and share a single internet connection among them.

What is CVE-2018-25316 and what specific weakness class does it represent in Tenda W308R v2 firmware version 5.07.48?

CVE-2018-25316 describes a cookie session weakness affecting Tenda W308R v2 firmware version 5.07.48. This type of vulnerability (CWE-290) allows unauthenticated attackers to bypass security controls by manipulating session tokens or cookies.

How can an attacker exploit the cookie session weakness in the Tenda W308R router to modify DNS settings?

An attacker can exploit this vulnerability by sending specially crafted GET requests to the `goform/AdvSetDns` endpoint. By including a manipulated 'admin language' cookie in these requests, the attacker can bypass session validation and alter the router's DNS settings without needing any prior authentication.

What is the potential impact of CVE-2018-25316 on users connected to an affected Tenda W308R router, and how is it relevant?

If exploited, this vulnerability allows attackers to redirect all user traffic to malicious DNS servers. This redirection can lead to man-in-the-middle attacks, credential harvesting, or the distribution of malware, severely compromising user privacy and security. The Halo Surface Signal score of 4 ('Likely') indicates a significant risk due to the nature of the affected device and its management interface.

What practical steps can be taken to address the Tenda W308R vulnerability and protect against DNS hijacking?

To mitigate this risk, it is crucial to update the Tenda W308R v2 firmware to version 5.07.48 or a later release. If immediate patching isn't possible, consider blocking access to the `goform/AdvSetDns` endpoint and actively monitor network traffic for any unusual or suspicious DNS requests.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified