Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Vulns out of the box: 12 in 13 small biz network devices terribly insecure by default – research

From: InfoSec News <alerts () infosecnews org>
Date: Wed, 18 Sep 2019 08:41:56 +0000 (UTC)
https://www.theregister.co.uk/2019/09/17/small_office_home_office_network_kit_security/

By Tim Anderson
The Register
17 Sep 2019
A new report has suggested that 12 out of 13 network devices, such as routers and network-attached storage appliances, are vulnerable to hacks that enable "root-privileged access without any authentication".
Security consultants ISE took a look at devices from well-known vendors including Buffalo, Synology, Zyxel, Drobo, Asus, Seagate, Lenovo, QNAP and Netgear. They were evaluated out of the box, including running setup wizards and enabling recommended security features, in order to mimic a "typical use configuration".
The news is not good. "We obtained root shells on 12 of the devices, allowing complete control over the device including 6 which can be remotely exploited without authentication," said the report.
The vulnerabilities discovered are familiar, including buffer overflow (Asus), cross-site scripting (most of them), command injection (most of them), authentication and authorization bypass (Buffalo, Netgear, TerraMaster, Drobo and Totolink), Cross-site request forgery (TerraMaster, Zyxel, Totolink, QNAP, Lenovo) and file upload path traversal (Buffalo, TerraMaster, Asus, Seagate, QNAP, Lenovo). 

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: