The researchers Rich Mirch from CRITICALSTART discovered ten vulnerabilities MOFI4500 MoFi Network routers. The expert reported the issues to the vendor in May but some of the flaws have yet to be patched.
Most of the flaws affect the web management interface, some of the vulnerabilities can be exploited by an unauthenticated, remote attacker with access to the web interface to take over the targeted router.
Some of the issues are related to the presence of hardcoded credentials or the use of weak credentials. Probably the most interesting vulnerability is an undocumented backdoor, tracked as CVE-2020-15835, that can be exploited by attackers to gain root access to a router.
“The authentication function contains undocumented code which provides the ability to authenticate as root without having to know the actual root password. An adversary with the private key can remotely authenticate to the management interface as root.” reads the advisory published by the expert. “Technical details are not included at this time because the vendor has not released a patch and disclosing this would provide enough details for the unpatched CVE-2020-15836 Unauthenticated Command Injection.”
The researcher also discovered another undocumented backdoor that resides in the poof.cgi script which can be exploited by an attacker with the private key to reboot the device. An adversary with the private key can remotely reboot the device without having to know the root password.
The vendor has addressed multiple critical vulnerabilities, but in some cases, the proposed fixes introduced other security issues.
“Multiple critical vulnerabilities have been discovered in the MoFi4500 router, an OpenWRT based wireless router that provides Internet access via LTE. The initial vulnerabilities were reported to the vendor and patches were made available however new critical vulnerabilities were subsequently introduced as a result.” continues the report. “Several firmware versions have been released, but some of the vulnerabilities have not been fully patched.”
The vendor has released roughly 10 firmware updates since the vulnerabilities have been reported.
On June 25, Mirch found 14,382 MoFi routers that were exposing their management interface online using the Shodan search engine.
At the time of writing, the number of exposed devices dropped to roughly 6,610.
(SecurityAffairs – hacking, MoFi routers)