FYI...Netis routers - backdoor open
Aug 25, 2014 - "Routers manufactured by Netcore, a popular brand for networking equipment in China, have a wide-open backdoor that can be fairly easily exploited by attackers. These products are also sold under the Netis brand name outside of China. This backdoor allows cybercriminals to easily run arbitrary code on these routers, rendering it vulnerable
as a security device. What is this backdoor? Simply put, it is an open UDP port listening at port 53413. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor... This backdoor is “protected” by a single, -hardcoded- password located in the router’s firmware. Netcore/Netis routers appear to all have the -same- password. This “protection” is essentially -ineffective- as attackers can easily log into these routers and users cannot modify or disable this backdoor... In order to determine if their router is vulnerable, users can use an online port scanner... probe at port 53413:
... Users have relatively few solutions available to remedy this issue. Support for Netcore routers by open source firmware like dd-wrt and Tomato is essentially limited; only one router appears to have support at all. Aside from that, the only adequate alternative would be to -replace- these devices
___Netis Router Backdoor “Patched” but not really
Oct 3, 2014 - "... the ShadowServer Foundation* has been kind enough to scan for IP addresses affected by this vulnerability... the same number of devices were at risk (we note that the number has risen at the time of this writing)... Netis has addressed the vulnerability with a firmware update for the router models vulnerable to the backdoor (downloadable from their official website’s download page**)... instead of removing the code that pertains to the backdoor (which is in essence an open UDP port), the update instead closes the port and hides its controls. What this basically means is that the backdoor is still in the router
– just that it’s closed by default, and only someone who already knows about the backdoor itself and has the technical knowledge to open it can access it... The fact that the port is still there means it can still be opened and used for malicious purposes, especially if the attackers manage to get a hold of the password to the router’s web console and can obtain access to the LAN side of the router (via, say, malware on a client PC). It still leaves the router (and the network tied to it) open to attack. It’s like patching up a hole in the wall with a door and then just giving the owner of the house a key to that door – the keys can still be stolen, and the hole can still be used to break into the house. Should you still update? Yes. We highly recommend installing the update
if you still wish to use your Netcore/Netis router, as it does at least give you access control over the port (if you know what you’re doing), and overall makes the router more secure. However, we want to stress that users should also make their router passwords stronger as well
-immediately- after applying this update - or, if their routers do not require password access, then for them to activate that feature through the web console and THEN make the password as strong as they can possibly be
. Strong passwords practices include making it as long as the password form allows, as well as using special symbols and numbers along with letters. We will continue to monitor this particular issue and update as necessary."
distinct IPs have responded to our probe..."
- http://atlas.arbor.net/briefs/High Severity
28 Aug 2014