Multiple vulnerabilities have been found in Tenda PA6 Wi-Fi Powerline extender, version 1.0.1.21. This device is part of Tenda’s PH5 Powerline Extender Kit and extends the wireless network through home’s existing electrical circuitry. The kit, in collaboration with X-Force Red, IBM Security’s team of hackers, aligns with the HomePlug AV2 technology and provides wired speeds up to 1000Mbps.
The first two flaws we discovered could potentially allow a remote attacker to gain complete control over the device. While authentication should provide a layer of security, this is not the case, here, as the device is only protected with a weak, default password.
Command injection by authenticated users (CVE-2019-16213)
Post-authentication buffer overflow (CVE-2019-19505)
Pre-authentication denial of service flaw (CVE-2019-19506)
A compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways.
We have documented these flaws under CVE-2019-16213, CVE-2019-19505 and CVE-2019-19506.
Powerline Comms History in a Nutshell
Since theses flaws have to do with a powerline communications device (PLC), let’s begin with a short history that connects powerlines and the internet.
In the world of connected devices, powerline communications carry data on a conductor simultaneously used for electric power transmission. By extension, powerline networking is a techno ..
Support the originator by clicking the read the rest link below.
