External risk intelligence

Tenda routers can be hijacked to redirect traffic by attackers.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2018-25317

Tenda routers have a flaw allowing anyone to change your internet's destination, sending you to fake sites instead of where you want to go. This affects devices often left exposed online.

4Halo Surface Signal

Tenda W3002r Firmware

5.07.64_en

External exposure likelihood

Halo Surface Signal score for CVE-2018-25317

The vulnerability resides in the web management interface of SOHO routers, which act as network gateways. These devices are positioned at the internet edge, and their management interfaces are frequently exposed to the public internet through default configurations or remote administration settings, making this attack surface commonly reachable from the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Tenda wireless routers allows attackers to change the device's DNS settings without needing to log in. This could redirect users to malicious websites, potentially compromising their online activities.

  • Attackers can control where users go online.
  • Network gateways are vulnerable.
  • The issue is easily exploitable.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to the router's web interface. This request targets the DNS settings endpoint, leveraging an insufficient session validation flaw in the cookie handling. By manipulating the cookie, an attacker can redirect all network traffic through their chosen DNS servers.

  • Attacker sends malicious request.
  • Targets router DNS settings.
  • Unauthenticated access required.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Tenda routers allows unauthenticated attackers to redirect user traffic by modifying DNS settings via crafted cookie requests. Attackers are likely to target this vulnerability because it affects devices at the network edge, often with exposed management interfaces, enabling widespread redirection and potentially facilitating further attacks.

  • Publicly available exploit code exists.
  • The vulnerability impacts devices with commonly exposed interfaces.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation of Tenda W3002R, A302, and W309R routers, specifically firmware version V5.07.64_en, for unauthorized DNS modification. Given the critical severity and public exploit availability, isolate or take affected devices offline if they are internet-facing and cannot be immediately patched or secured.

  • Block access to `/goform/AdvSetDns` endpoint.
  • Monitor network traffic for DNS changes.
  • Update router firmware to a secure version.

Frequently asked questions

What are Tenda W3002R/A302/W309R routers and their firmware version V5.07.64_en used for?

Tenda W3002R, A302, and W309R routers are wireless networking devices designed for home and small office use. They provide internet connectivity and manage local network traffic. Firmware version V5.07.64_en is specifically mentioned in relation to a security vulnerability found in these models.

What is the weakness described by CVE-2018-25317 in Tenda routers?

CVE-2018-25317 describes a cookie session weakness. This means the router does not properly validate user sessions when handling cookies, allowing unauthenticated attackers to modify DNS settings.

How can an attacker exploit the Tenda router vulnerability to modify DNS settings?

An attacker can exploit this by sending a crafted GET request to the `/goform/AdvSetDns` endpoint. By manipulating the `admin language` cookie, they can bypass session validation and change the primary and secondary DNS servers.

What is the relevance of CVE-2018-25317 for network security?

This vulnerability is relevant because it affects network gateways often exposed to the internet. Attackers can hijack these routers to redirect user traffic to malicious DNS servers, potentially compromising online activities. Halo Surface Signal assesses the likelihood of exploitation as 'Likely'.

What practical steps should be taken to address the Tenda router vulnerability?

Organizations should investigate Tenda W3002R, A302, and W309R routers with firmware V5.07.64_en for unauthorized DNS modification. If devices are internet-facing and cannot be immediately secured, consider isolating them. Blocking access to the `/goform/AdvSetDns` endpoint and monitoring for DNS changes are recommended. Updating firmware to a secure version is the ultimate fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified