The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device.
Five vulnerabilities were discovered. Below are links to the associated technical advisories:
- Technical Advisory: Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
- Technical Advisory: Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
- Technical Advisory: OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
- Technical Advisory: CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
- Technical Advisory: Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)
Technical Advisories:
Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30326
Severity: Medium 5.0
Summary
Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the network pre-shared key field on the web interface is vulnerable to XSS.
Impact
An attacker can use a simple XSS payload to crash the main page of the router web interface.
Details
Stored XSS is a vulnerability related to improper validation of user input and output. In stored XSS the web interface accepts input from the user and stores it for later without proper encoding. A web application that is vulnerable to XSS allows an attacker to send a malicious script to the user.
The example below will crash the basic_conf page and create a popup on the 5G home.htm page:
Recommendation
This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.
Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30328
Severity: Medium 4.0
Summary
Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the router web interface has an insecure username and password setup.
Impact
A malicious user can change the username and password of the interface.
Details
The username and password setup for the router web interface does not require entering the existing password. An attacker can use CSRF to trick the user to send a request to the web interface to change the username and password of the router.
Recommendation
Trendnet indicated that this CVE will not be fixed at this point. Router owners should logout of the device web interface after use.
OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30329
Severity: Medium 6.3
Summary
Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that commands could be injected into the diagnostics field within the web interface.
Impact
An OS injection vulnerability was found within the web interface of the device allowing an attacker with valid credentials to execute arbitrary shell commands.
Details
The web interface has a diagnostics page that uses ping/traceroute. In the host(domain) an attacker can enter an IP with a ; at the end and inject a command to be executed by the device. Using command injection telnetd can be enabled. Telnetd is a remote terminal protocol server.
For example, the following can be entered into the host(domain) to enable telnetd:
192.168.10.02;telnetd
After running the command, any telnet client can be used to login to the root account from the local area network (LAN):
user: root
Password: the admin password
Running the ls command will list the files in the current directory:
bin etc init mnt root tmp var
dev home lib proc sys usr web
Recommendation
This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.
CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30327
Severity: High 7.6
Summary
Trendnet TEW-831DR WiFi router is a general consumer WiFi router with a web interface for configuration. It was found that the routers browser interface is vulnerable to CSRF.
Impact
The WiFi router interface is vulnerable to CSRF. An attacker can change the pre-shared key to the WiFi router if the interface IP is known.
Details
Cross-Site Request Forgery is an attack that occurs when a user interacts with a malicious web application while logged into a vulnerable web application using the same browser. The malicious web application can send unwanted requests to the vulnerable web application.
If the user is logged into the router web interface an attacker could create a page like the example below and trick a user into clicking it to change the router WiFi pre-shared key or SSID.
e.g.:
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.10.1/boafrm/formWizard" method="POST">
<input type="hidden" name="pskValue0" value="password">
<input type="hidden" name="pskValue1" value="password">
<input type="hidden" name="cliPskValue0" value="password">
<input type="hidden" name="cliPskValue1" value="password">
<input type="hidden" name="apply" value="Save amp; Apply">
<input type="submit" value="Submit request">
</form>
Recommendation
This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.
Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)
Vendor: Trendnet
Vendor URL: https://www.trendnet.com/
Versions affected: All Versions
System Affected: TEW-831DR
CVE Identifier: CVE-2022-30325
Severity: Medium 4.0
Summary
Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the default pre-shared key for the WiFi networks is the same for every router but the last four digits.
Impact
The device default pre-shared key for both 2.4GHz and 5GHz networks can be guessed or brute-forced by an attacker within range of the WiFi network. The weak pre-shared key allows the attacker to gain access to these networks if the pre-shared key has been left unchanged from the factory default.
Details
The device default pre-shared key has the same seven out of eleven digits for every router. An attacker within scanning range of the WiFi network can brute-force the last four digits to gain access to the network.
e.g.:
The first seven default characters of the pre-shared key:
831R100
Recommendation
Trendnet indicated that this CVE will not be fixed at this point. Router owners that are still using the default pre-shared key should update the current wifi key to new one through the web interface.
Disclosure Timeline:
March 15th, 2022: Initial email from NCC to Trendnet.
March 16th, 2022: Trendnet responded to the initial email.
March 18th, 2022: First communication of the bugs to Trendnet. Set the disclosure timeline to 60 days.
May 5th – May 23rd, 2022: Multiple emails exchanged to complete the fixes on the firmware version.
May 23rd, 2022: Trendnet confirmed the fixes were present in the firmware to be released.
June 2nd, 2022 – Trendnet released firmware version:v1.0(601.130.1.1410).
Thanks to
Nicolas Bidron, Jennifer Fernick, and David Goldsmith for their support throughout the research and disclosure process. Additionally, Trendnet for their on going cooperation.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.