TRENDnet Devices Bundle Infamous scfgmgr Service

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.linkedin.com/pulse/trendnet-devices-bundle-infamous-scfgmgr-service-jake-kouns?trk=hp-feed-article-title-publish

Earlier this month, our research team at Risk Based Security encountered an
older TRENDnet N300 Wireless Hot Spot Access Point (TEW-636APB) and decided
to extract the firmware to take a closer look at it. For those, who do not
recall, TRENDnet is the vendor that was slapped by the FTC in 2014.

Under the terms of the settlement with the Commission, TRENDnet was:

- prohibited from misrepresenting the security of its cameras
- required to establish a comprehensive information security program
designed to address security risks that could result in unauthorized access
- required to obtain third-party assessments of its security programs every
two years for the next 20 years.
- required to notify customers of security issues and updates available to
correct any flaw

This settlement was an attempt to ensure that TRENDnet improved the
security of their products. It should be noted, however, that their devices
were not really in any worse shape than what we regularly see from many
device vendors.

When looking at the firmware, we immediately spotted that the device on
boot launches the infamous scfgmgr service, which basically acts as a
backdoor into the device. The service has previously been reported in
various devices from primarily NETGEAR, Cisco, and Linksys. It was,
therefore, interesting to also find it in a product from TRENDnet and
fostered the question: “How many TRENDnet models are affected?”. Especially
when considering the FTC case.

To answer the question, we wrote a tool to download all available firmware
images from TRENDnet (a total of 924), unpack and extract them using
Binwalk, and then search for the presence of the scfgmgr service.

The results were positive, as we only found the service in the latest
firmware images for a few other TRENDnet device models, which all seem to
have been discontinued prior to the FTC case.

Hopefully, use of affected device models in home and enterprise networks is
very limited. Anyone still using one of these should consider replacing
them with a still supported device immediately, or if not able to do so
then at least ensure traffic to the backdoor service is blocked.

It should be noted that the service was previously reported to listen on
TCP port 32764. That is not the case for the TRENDnet devices. A table of
affected devices, firmware versions, and the port that the service listens
on can be found below:



We can’t rule out that other models also were affected at some point and
silently fixed. It’s, therefore, advisable to ensure any used TRENDnet
devices (as with devices in general) regardless of model are running the
latest firmware versions.

If your organization wants an evaluation of a product e.g. internally
developed or used in your IT infrastructure, we can assist with product
assessments as well as conducting network vulnerability assessments and
penetration tests.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.