0-days found in widely used Belkin router, fixes still unavailable

CERT/CC has issued a warning about the existence of several serious zero-day vulnerabilities affecting the popular Belkin N600 routers, and has offered advice on how users can protect themselves until Belkin comes out with fixes (they have been notified of the vulnerabilities in July).

The flaws can be exploited by attackers to block firmware updates (as they are sent over HTTP), gain privileged access to the device’s web management interface, and perform Cross-Site Request Forgery (CSRF) attacks.

“A remote, unauthenticated attacker may be able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request,” researcher Joel Land, who unearthed the flaws, explained.

“A LAN-based attacker can bypass authentication to take complete control of vulnerable devices.”

The vulnerabilities affect Belkin N600 DB Wireless Dual Band N+ routers, model F9K1102 v2 with firmware version 2.10.17 and possibly earlier.

CERT/CC advises users to not allow untrusted hosts to connect to their LAN, to not browse the Internet while the web management interface has an active session in a browser tab, and to implement strong passwords for WiFi and for the web management interface.

Even though one of the vulnerabilities is an authentication bypass vulnerability that allows a LAN-based attacker to access the device’s web management interface without knowing the password, a strong password can help prevent blind guessing attempts that would establish sessions for CSRF attacks.

Unfortunately, there are no easy mitigations for the DNS spoofing or firmware over HTTP issues.