Automated analysis discovers vulnerabilities in router firmware
Researchers from Carnegie Mellon and Boston University have discovered vulnerabilities in routers from Netgear and D-Link using an automated analysis system. The analysis system is called Firmadyne. The researchers examined nearly 9,500 firmware images.
In total, the researchers used about 23,000 firmware images, collected from 42 different manufacturers of devices with embedded firmware. Firmadyne was able to determine from 9486 images that 887 images were vulnerable to one of 74 known exploits. In addition, the researchers found 14 previously unknown exploits in 69 firmware images in use across 12 products.
The framework automatically runs Linux-based firmware designed for embedded devices in an emulated environment. Firmadyne then performs a number of security tests, including tests for known exploits.
Some of the vulnerabilities were found in Netgear and D-Link devices. The part numbers of these devices have been disclosed separately by the authors of the paper on Seclist.org. The researchers warned both Netgear and D-Link, but so far only received a response from Netgear. Netgear will release a firmware update for the WN604 wireless access point at the end of February. The other devices will not receive an update before mid-March.
Some of Netgear’s devices are sensitive to a sql injection CVE-2016-1555. The vulnerabilities mainly occur in devices that are configured in such a way that they can be managed via the internet. Netgear’s sensitive devices bear the type numbers WN604, WN802Tv2, WNAP210, WNAP320, WNDAP350, and WNDAP360. With the exception of the WN802Tv2, these devices and the WNDAP930 also have web pages that can be accessed without authentication, allowing the pin for wps mode to be exposed.
The D-Link devices that are vulnerable are the D-Link DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2660, DAP-2690, and DAP-2695. These devices suffer from a buffer overflow vulnerability if the dlink_uid cookie is processed. Three other D-Link devices and three from Netgear show wireless passwords over the snmp protocol. These are the DAP-1353, DAP-2553, DAP-3520, WNAP320, WNDAP350 and WNDAP360.
Firmadyne has appeared as an open source project on GitHub, alongside a research paper titled “Towards Automated Dynamic Analysis for Linux-based Embedded Firmware”. Of the 887 firmwares, most came from Netgear and D-Link. Some other brands that include exploits found by Firmadyne include Belkin, Huawei, Linksys, On Networks, Tomato by Shibby, TP-Link, TRENDnet, and ZyXEL. For the full list, see page 16 in the paper.