Asus, Lenovo and Other Routers Riddled with Remotely Exploitable Bugs
New research by Independent Security Evaluators has uncovered a total of 125 security vulnerabilities in small office/home office (SOHO) routers and network-attached storage devices (NAS). The researchers tested 13 devices in total, from vendors including Asus, Lenovo and Netgear. The report warns that all of the devices under scrutiny “had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device’s shell or gain access to the device’s administrative panel.”
The researchers were able to obtain root (system level) access on 12 of the 13 devices, 6 of which could be “remotely exploited without authentication: The Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.” After the researchers disclosed the flaws, most vendors took steps to mitigate the issues. However, three vendors have so far failed to address the vulnerabilities: Drobo, Buffalo Americas and Zioncom Holdings.