AI Security AI安全 3d ago Updated 3d ago 更新于 3天前 46

CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware CERT/CC警告Tenda路由器固件中存在隐藏的管理后门

CERT/CC identified CVE-2026-11405, a hidden admin backdoor in Tenda router firmware allowing unauthorized administrative access without valid credentials. The vulnerability resides in the `/bin/web` server binary's `login()` function, which triggers an alternate code path upon failed MD5 authentication to check a plaintext configuration password. The backdoor ignores username validation, meaning any username paired with the specific backdoor password grants full admin privileges (role=2). Multip CERT/CC披露Tenda路由器固件中存在未记录的认证后门(CVE-2026-11405),允许攻击者绕过密码验证获取完全管理权限。 后门位于Web服务器二进制文件的“login()”函数中,当标准MD5认证失败时激活备用代码路径进行明文比对。 该漏洞影响多个固件版本,且用户名验证被覆盖,任何用户名配合特定后门密码即可登录,目前尚无补丁。 建议用户立即禁用远程管理功能并更改默认LAN IP地址,以防范自动化扫描器和潜在的攻击利用。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • CERT/CC identified CVE-2026-11405, a hidden admin backdoor in Tenda router firmware allowing unauthorized administrative access without valid credentials.
  • The vulnerability resides in the /bin/web server binary's login() function, which triggers an alternate code path upon failed MD5 authentication to check a plaintext configuration password.
  • The backdoor ignores username validation, meaning any username paired with the specific backdoor password grants full admin privileges (role=2).
  • Multiple firmware versions are affected, including those for models FH1201, W15E, AC10, AC5, and AC6, and the issue remains unpatched as of the report.
  • Immediate mitigation involves disabling remote management and changing the default LAN IP address to prevent exposure to automated scanners.

Why It Matters

This incident highlights critical security failures in IoT device manufacturing, specifically the embedding of undocumented authentication bypasses that undermine fundamental security principles. For practitioners, it underscores the necessity of rigorous firmware auditing and the risks associated with relying on default configurations or vendor-provided security mechanisms without independent verification.

Technical Details

  • Vulnerability Mechanism: The backdoor is embedded in the login() function of the /bin/web binary. After a standard MD5-based password verification fails, the code executes an alternative path calling GetValue("sys.rzadmin.password").
  • Authentication Bypass: The system performs a direct plaintext comparison between the user-supplied password and the stored sys.rzadmin.password value. If they match, the application assigns role=2 (admin) and creates a session, completely bypassing the intended credential check.
  • Username Validation Flaw: The rzadmin username field is not validated against existing accounts; any arbitrary username provided alongside the correct backdoor password will succeed.
  • Affected Scope: The vulnerability impacts several specific firmware builds across Tenda models such as US_FH1201, US_W15E, US_AC10, US_AC5, and US_AC6.
  • Status: Reported by an anonymous researcher, the vulnerability is currently unpatched, leaving devices exposed until a firmware update is released.

Industry Insight

  • Supply Chain Security: Manufacturers must implement strict code review processes to detect and remove undocumented backdoors or debug interfaces before firmware release, as these pose severe long-term security liabilities.
  • Defensive Configuration: Users should treat default IoT settings as inherently insecure; disabling remote management and altering default IPs are essential first steps in hardening network infrastructure against opportunistic attacks.
  • Vulnerability Management: Organizations relying on consumer-grade networking equipment should monitor CERT advisories closely and prioritize devices with transparent security update policies to mitigate exposure to zero-day or undisclosed flaws.

TL;DR

  • CERT/CC披露Tenda路由器固件中存在未记录的认证后门(CVE-2026-11405),允许攻击者绕过密码验证获取完全管理权限。
  • 后门位于Web服务器二进制文件的“login()”函数中,当标准MD5认证失败时激活备用代码路径进行明文比对。
  • 该漏洞影响多个固件版本,且用户名验证被覆盖,任何用户名配合特定后门密码即可登录,目前尚无补丁。
  • 建议用户立即禁用远程管理功能并更改默认LAN IP地址,以防范自动化扫描器和潜在的攻击利用。

为什么值得看

此事件揭示了物联网设备供应链中隐蔽的安全风险,特别是固件中故意植入或未文档化的后门机制,这对依赖此类设备的网络基础设施构成了严重威胁。对于安全从业者和企业IT管理员而言,了解此类底层认证绕过技术有助于加强设备配置审计和防御策略。

技术解析

  • 漏洞原理:后门嵌入在/bin/webserver二进制文件的login()函数中。正常流程使用MD5验证密码,若失败则触发备用路径,调用GetValue("sys.rzadmin.password")获取配置中的备用密码,并与用户输入的密码进行明文直接比对。
  • 绕过机制:系统不验证用户名,只要提供的密码匹配配置中的后门密码,无论输入什么用户名都会授予role=2的管理员会话权限,从而完全绕过身份验证。
  • 影响范围:涉及多个具体固件版本,包括US_FH1201、US_W15E、US_AC10、US_AC5和US_AC6等系列型号,表明问题可能源于通用的固件构建脚本或开发疏忽。
  • 当前状态:漏洞由匿名研究员报告,截至报道时尚未修复。由于后门未在任何管理界面可见,常规安全检查难以发现。

行业启示

  • 供应链安全审计:制造商需加强对第三方组件和固件构建流程的安全审查,确保不存在未记录的后门或硬编码凭证,提升透明度。
  • 纵深防御策略:鉴于单点认证失效的风险,应强制实施网络层隔离,如禁用远程管理、修改默认IP及端口,减少暴露面。
  • 持续监控与响应:企业应建立针对IoT设备的异常登录行为监控机制,并对已知高风险厂商的产品保持警惕,及时应用临时缓解措施。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全