External risk intelligence

Tenda routers can be hijacked to send users to fake websites

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2018-25318

An external attacker can exploit a flaw in Tenda FH303/A300 routers to manipulate internet traffic routing without needing a password. This allows them to redirect users to malicious websites, creating a significant risk of credential theft and the compromise of sensitive data.

3Halo Surface Signal

Tenda Fh303 Firmware

5.07.68_en

External exposure likelihood

Halo Surface Signal score for CVE-2018-25318

The vulnerability affects the web management interface of a consumer router. While these devices sit at the network edge, the management interface is typically intended for local administrative access. Exposure to the public internet generally results from misconfiguration or specific remote management settings rather than being a public-facing service by design.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A session weakness in Tenda router firmware allows unauthenticated attackers to change DNS settings. This can redirect user traffic to malicious websites, impacting the integrity of the network.

  • Unauthenticated attackers can exploit this.
  • Traffic can be rerouted to malicious sites.
  • Affects consumer router firmware.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this flaw by sending a crafted GET request to the device's web interface to change DNS settings. This allows them to redirect users to malicious websites without any authentication.

  • No authentication required.
  • Targets router DNS settings.
  • Redirects user traffic.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to alter DNS settings on Tenda routers, potentially redirecting user traffic. While it has been publicly known for some time, there is no strong indication of widespread active exploitation currently.

  • Public exploit available.
  • No recent exploitation signals.
  • Affects consumer devices.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment and monitoring for Tenda FH303/A300 routers running firmware v5.07.68_EN due to a critical vulnerability allowing unauthenticated DNS hijacking. Since a specific patch is not readily available, focus on preventing unauthorized access and detecting malicious network activity.

  • Block known malicious IPs/domains.
  • Monitor DNS traffic for anomalies.
  • Restrict web interface access.

Frequently asked questions

What is Tenda FH303/A300 firmware and what function does it serve?

Tenda FH303/A300 firmware is the operating software for Tenda FH303 and A300 routers, commonly used in homes and small offices to provide internet access and manage local networks. This specific firmware version, V5.07.68_EN, contains a critical security flaw.

What type of vulnerability is CVE-2018-25318 and how does it affect Tenda routers?

CVE-2018-25318 is a session weakness vulnerability (CWE-290). It allows unauthenticated attackers to modify the router's DNS settings by exploiting insufficient cookie validation, potentially leading to traffic redirection to malicious sites.

How can an attacker exploit the CVE-2018-25318 vulnerability on Tenda routers?

An attacker can trigger this vulnerability by sending a specially crafted GET request to the router's web interface, specifically targeting the /goform/AdvSetDns endpoint. By manipulating the admin cookie, they can change the DNS servers without needing any prior authentication.

What is the relevance of CVE-2018-25318 given its exposure and current threat landscape?

The vulnerability is classified as external due to its network attack vector. While publicly known with exploit details available, current indicators do not suggest widespread active exploitation, though the potential for misuse remains.

What steps should be taken to respond to the Tenda router vulnerability?

Given the lack of a specific patch for firmware v5.07.68_EN, focus on containment and monitoring. Restrict access to the router's web interface, monitor DNS traffic for anomalies, and block any identified malicious IP addresses or domains to prevent unauthorized traffic redirection.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified