In almost all tested units, the researchers achieved their goal of obtaining remote root-level access
Security researchers have uncovered a total of 125 security flaws across 13 small office/home office (SOHO) routers and network-attached storage (NAS) devices that may leave them vulnerable to remote attacks.
The devices ranged from units intended for the general public to high-end enterprise-grade devices, according to the research conducted by a US-based company called Independent Security Evaluators (ISE). The experts routed their focus primarily on devices from well-known and reputable vendors, meaning that the problem may ultimately affect millions of units. (The list of the devices and additional details are available here.)
“Today, we show that security controls put in place by device manufacturers are insufficient against attacks carried out by remote adversaries,” reads the study. All devices had been updated to the then-latest firmware and were tested in their out-of-the-box configurations.
Each of the 13 devices was found to contain at least one web application vulnerability such as cross-site scripting, operating system command injection or SQL injection that could be leveraged by an attacker to get remote access to the device’s shell or admin panel. Once compromised, the device may be used as a stepping stone for further attacks inside a home or enterprise network.
Other common flaws included authentication and authorization bypasses. In 12 devices, the researchers reached their goal of obtaining remote root-level access. Six units could be rem ..
Support the originator by clicking the read the rest link below.
