Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0.
The first SOHOpelessly Broken project started in 2013, when researchers at Independent Security Evaluators (ISE) analyzed several SOHO routers and NAS devices. That project resulted in the discovery of many new vulnerabilities to which 52 CVE identifiers were assigned at the time.
ISE last year decided to conduct another similar assessment to see if and how much IoT security has evolved since then. A total of 13 routers and NAS devices were analyzed as part of the SOHOpelessly Broken 2.0 project, which led to 125 CVEs being assigned to the new vulnerabilities. Results of the research were made public on Monday.
SOHOpelessly Broken 2.0 targeted devices from Buffalo, Synology, TerraMaster, Zyxel, Drobo, ASUS and its subsidiary Asustor, Seagate, QNAP, Lenovo, Netgear, Xiaomi, and Zioncom (TOTOLINK).
The researchers said they identified at least one vulnerability that allowed remote shell access or access to the admin interface in each of the tested products, including cross-site scripting (XSS), OS command injection and SQL injection bugs.
Six of the products were found to have vulnerabilities that can be exploited to gain complete control over a device remotely and without authentication. These products are Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU.
The findings were reported to vendors and most of them promptly responded. The experts said they had some communication issues with Netgear, while Drobo, Buffalo and Zioncom have not responded. It’s worth noting that Buffalo, TerraMaster, Drobo, Zyxel, TOTOLINK and Asustor don’t have vulnerability disc ..
Support the originator by clicking the read the rest link below.
