AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 42

Unpatched Backdoor in Tenda Firmware Grants Admin Access to Devices Tenda固件中未修补的后门授予设备管理员访问权限

A critical undocumented backdoor (CVE-2026-11405) in Tenda firmware allows authentication bypass by validating a hardcoded plaintext password against any username, granting full administrative access. The vulnerability stems from flawed logic in the web server's login function, where failed authentications trigger a fallback check against a static configuration value without verifying the associated user identity. CERT/CC reported an inability to coordinate with the vendor, resulting in no avail 安全研究人员在多款Tenda固件中发现未记录的CVE-2026-11405后门,可导致Web管理界面认证绕过。 该漏洞源于登录机制仅校验明文存储的配置密码且忽略用户名验证,攻击者无需合法凭据即可获取管理员权限。 CERT/CC表示无法与厂商协调披露,目前尚无补丁发布,建议用户禁用远程Web管理并修改默认LAN IP。 同期披露的HP Deskjet 2800系列打印机存在CVE-2026-13753漏洞,允许未授权访问API并泄露敏感配置数据。

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • A critical undocumented backdoor (CVE-2026-11405) in Tenda firmware allows authentication bypass by validating a hardcoded plaintext password against any username, granting full administrative access.
  • The vulnerability stems from flawed logic in the web server's login function, where failed authentications trigger a fallback check against a static configuration value without verifying the associated user identity.
  • CERT/CC reported an inability to coordinate with the vendor, resulting in no available patches and forcing reliance on mitigation strategies such as disabling remote management.
  • A separate unpatched vulnerability (CVE-2026-13753) in HP Deskjet printers exposes sensitive configuration data via unauthenticated API endpoints due to missing authorization checks.

Why It Matters

This incident highlights severe lapses in secure coding practices within consumer IoT and networking hardware, specifically regarding hardcoded credentials and improper authentication flows. For security practitioners, it underscores the critical importance of supply chain security and the risks associated with vendors failing to respond to responsible disclosure efforts.

Technical Details

  • Vulnerability Mechanism: In Tenda devices, when standard authentication fails, the system retrieves a password from the configuration file and compares it in plaintext with the user-supplied input. If they match, access is granted regardless of the username provided.
  • Impact Scope: The flaw affects multiple Tenda routers, switches, and networking devices, allowing attackers to modify network settings, disable security features, and compromise the local network.
  • HP Printer Flaw: CVE-2026-13753 involves HP Deskjet 2800 series printers where GET requests to backend API endpoints bypass authentication and session validation, leaking Wi-Fi passphrases and serial numbers.
  • Remediation Status: No patches have been released for either vulnerability. CERT/CC recommends disabling remote web management and changing default LAN IPs to mitigate exposure.

Industry Insight

  • Vendor Accountability: The failure of CERT/CC to coordinate with Tenda suggests a broader issue in the IoT sector where vendors may lack robust security response teams, necessitating stricter regulatory oversight or mandatory security standards.
  • Defense in Depth: Organizations and consumers must assume default configurations are insecure; proactive measures like network segmentation and disabling unused services (e.g., remote management) are essential defenses against unpatched vulnerabilities.
  • API Security Audits: The HP printer case reinforces the need for rigorous authorization checks on all API endpoints, particularly those handling sensitive configuration data, to prevent information leakage even in non-administrative contexts.

TL;DR

  • 安全研究人员在多款Tenda固件中发现未记录的CVE-2026-11405后门,可导致Web管理界面认证绕过。
  • 该漏洞源于登录机制仅校验明文存储的配置密码且忽略用户名验证,攻击者无需合法凭据即可获取管理员权限。
  • CERT/CC表示无法与厂商协调披露,目前尚无补丁发布,建议用户禁用远程Web管理并修改默认LAN IP。
  • 同期披露的HP Deskjet 2800系列打印机存在CVE-2026-13753漏洞,允许未授权访问API并泄露敏感配置数据。

为什么值得看

本文揭示了IoT设备固件中隐蔽的后门机制及认证逻辑缺陷,提醒从业者关注供应链安全中的“未记录功能”风险。同时,针对缺乏补丁支持的厂商应对策略提供了具体的缓解措施参考,对网络安全防护具有警示意义。

技术解析

  • 漏洞原理:Tenda设备的Web服务器登录函数在认证失败时,会尝试从配置文件中检索密码值,并将用户输入的密码与该明文存储的值进行比对。若匹配成功则授予访问权限,且完全忽略用户名验证。
  • 影响范围:涉及Tenda路由器、交换机等多种网络设备,攻击者可利用此机制修改配置、禁用安全特性,进而导致本地网络被完全控制。
  • 缓解措施:由于无官方补丁,建议用户立即禁用设备的远程Web管理功能,并将局域网默认IP地址更改为非标准地址,以降低被自动化扫描器发现的概率。
  • 关联漏洞:HP Deskjet 2800系列打印机存在类似的未授权API访问漏洞(CVE-2026-13753),攻击者可通过GET请求获取Wi-Fi凭证和管理员状态等敏感信息。

行业启示

  • 供应商响应机制失效:CERT/CC无法联系到Tenda厂商进行协调披露,反映出部分IoT制造商在安全事件响应和漏洞修复流程上的严重缺失,企业需建立更严格的供应商安全评估体系。
  • 默认配置安全性至关重要:多个漏洞均利用了未修改的默认设置或硬编码逻辑,强调在设备出厂和部署阶段必须强制实施最小权限原则和默认凭证轮换机制。
  • 纵深防御策略的必要性:在无法依赖厂商及时修补的情况下,通过网络层隔离、禁用非必要服务(如远程管理)等主动防御手段,是降低IoT设备暴露面的关键策略。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全