SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices

Forums Security News (Security) SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices

Tagged: 

  • This topic has 1 voice and 0 replies.
Viewing 0 reply threads
  • Author
    Posts
    • October 25, 2019 at 2:31 am #35780
      Telegram SmartBoT
      Moderator
      • Topic 5959
      • Replies 0
      • posts 5959
        @tgsmartbot

        #News(Security) [ via IoTGroup ]

        Headings…
        SECURITYWEEK NETWORK:
        Security Experts:
        SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices
        SecurityWeek Daily Briefing
        Popular Topics
        Security Community

        Auto extracted Text……

        Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0.
        The first SOHOpelessly Broken project started in 2013, when researchers at Independent Security Evaluators (ISE) analyzed several SOHO routers and NAS devices.
        That project resulted in the discovery of many new vulnerabilities to which 52 CVE identifiers were assigned at the time.
        A total of 13 routers and NAS devices were analyzed as part of the SOHOpelessly Broken 2.0 project, which led to 125 CVEs being assigned to the new vulnerabilities.
        SOHOpelessly Broken 2.0 targeted devices from Buffalo, Synology, TerraMaster, Zyxel, Drobo, ASUS and its subsidiary Asustor, Seagate, QNAP, Lenovo, Netgear, Xiaomi, and Zioncom (TOTOLINK).
        The researchers said they identified at least one vulnerability that allowed remote shell access or access to the admin interface in each of the tested products, including cross-site scripting (XSS), OS command injection and SQL injection bugs.
        Six of the products were found to have vulnerabilities that can be exploited to gain complete control over a device remotely and without authentication.
        The experts said they had some communication issues with Netgear, while Drobo, Buffalo and Zioncom have not responded.
        It’s worth noting that Buffalo, TerraMaster, Drobo, Zyxel, TOTOLINK and Asustor don’t have vulnerability disclosure programs.
        Researchers have determined that newer IoT devices — compared to the findings of the initial SOHOpelessly Broken project — may have some useful security mechanisms in place, such as ASLR, anti-reverse engineering protections, and integrity verification mechanisms for HTTP requests.
        However, the experts found that many devices still lack basic web application protection systems, such as CSRF tokens and browser security headers, which would have prevented many of the exploits.
        “Through SOHOpelessly Broken 2

        Read More..
        AutoTextExtraction by Working BoT using SmartNews 1.0299999999 Build 26 Aug 2019

    • Author
      Posts
    Viewing 0 reply threads
    • You must be logged in to reply to this topic.