Securifi Almond routers contains multiple vulnerabilities

CERT has issues Vulnerability Note VU#906576 on Securifi Almond routers.

Excerpt of VU#906576:

CWE-330: Use of Insufficiently Random Values – CVE-2015-2914
CWE-319: Cleartext Transmission of Sensitive Information
CWE-255: Credentials Management – CVE-2015-2915
CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2015-2916
CWE-20: Improper Input Validation – CVE-2015-2917

Securifi Almond, firmware version AL1-R200-L302-W33 and earlier, and Securifi Almond 2015, firmware version AL2-R088 and earlier, contain multiple vulnerabilities. A remote, unauthenticated attacker may be able to spoof DNS responses to cause Almond LAN clients to contact attacker-controlled hosts or induce an authenticated user into making an unintentional request to the web server that will be treated as an authentic request. Securifi has released firmware versions to address these vulnerabilities. Almond users should upgrade to AL1-R201EXP10-L304-W34 or later. Almond 2015 users should upgrade to AL2-R088M or later. Note that the firmware updates mitigate the CSRF and clickjacking vulnerabilities by disabling the web management interface. Users may still enable web management from the Almond touch screen controls, but doing so will render their devices vulnerable. The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.

http://www.kb.cert.org/vuls/id/906576
http://www.securifi.com/almond
https://firmware.securifi.com/AL1/AL1-R201EXP10-L304-W34
https://firmware.securifi.com/AL2/AL2-R088m

US-CERT vulnerability note on DSL routers

US-CERT has issued a Vulnerability Note (VU#950576) for some DSL routers, excerpted below, see US-CERT note for full details:

DSL routers contain hard-coded “XXXXairocon” credentials

DSL routers by ASUS, DIGICOM, Observa Telecom, Philippine Long Distance Telephone (PLDT), and ZTE contain hard-coded “XXXXairocon” credentials

CWE-798: Use of Hard-coded Credentials

DSL routers, including the ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN, and ZTE ZXV10 W300 contain hard-coded credentials that are useable in the telnet service on the device. In the ASUS, DIGICOM, Observa Telecom, and ZTE devices, the username is “admin,” in the PLDT device, the user name is “adminpldt,” and in all affected devices, the password is “XXXXairocon” where “XXXX” is the last four characters of the device’s MAC address. The MAC address may be obtainable over SNMP with community string public. The vulnerability was previously disclosed in VU#228886 and assigned CVE-2014-0329 for ZTE ZXV10 W300, but it was not known at the time that the same vulnerability affected products published by other vendors. The Observa Telecom RTA01N was previously disclosed on the Full Disclosure mailing list.

Impact: A remote attacker may utilize these credentials to gain administrator access to the device.

Solution: The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround: Restrict access: Enable firewall rules so the telnet service of the device is not accessible to untrusted sources. Enable firewall rules that block SNMP on the device.

Vendors impacted include: AsusTek, DIGICOM, Observa Telecom, Philippine Long Distance Telephone, and ZTE Corporation.

See CERT VU for full information:
http://www.kb.cert.org/vuls/id/950576

http://seclists.org/fulldisclosure/2015/May/129
https://www.kb.cert.org/vuls/id/228886
https://www.asus.com/Networking/DSLN12E/
http://www.digicom.com.hk/index.php?section=products&action=details&id=156#.VdzITpcuzl0
http://www.movistar.es/particulares/atencion-cliente/internet/adsl/equipamiento-adsl/routers/router-adsl-observa-rta01n-v2/