Overview

Signal 11 identified an authentication bypass vulnerability affecting NetComm routers running firmware versions up to and including R6B031.

Exploitation requires another user to have an active authenticated session on the device at the time of exploitation.

The vulnerability exists in the device’s session handling logic. User sessions are encrypted using AES-256 with a hardcoded key:

TWgj@config@EncodeDecode

The device appears to validate authentication by checking that an authenticated session currently exists and that the supplied encrypted session cookie can be decrypted successfully. As a result, if an administrator has an active session on the device, an attacker can supply their own encrypted cookie and bypass the normal authentication flow.

[...]
  snprintf(acStack_2a0,0x80,"%s=","Name"); // [1] 
  sVar1 = strlen(acStack_2a0);
  iVar2 = strncmp(acStack_2a0,pcVar5,sVar1);
  if (iVar2 == 0) {
    pcVar5 = pcVar5 + sVar1;
LAB_0007ec70:
    if (pcVar5 == (char *)0x0) goto LAB_0007ec4c;
    pcVar3 = strstr(pcVar5,"; ");
    if ((pcVar3 != (char *)0x0) || (pcVar3 = strstr(pcVar5,"\r\n"), pcVar3 != (char *)0x0)) {
      iVar2 = (int)pcVar3 - (int)pcVar5;
      if (iVar2 < 0xff && iVar2 != 0) {
        memcpy(local_220,pcVar5 + 1,iVar2 - 1);
        local_220[iVar2] = '\0';
        if (local_220[0] != '\0') {
          log_log(7,"get_Cookie_name",0x7d,"inCookieValue = %s ",local_220);
          cmsUtl_AES256_Decode(local_220,"TWgj@config@EncodeDecode",local_120,0xff); // [2]
          }
[...]
// [1] Name cookie is read from the request
// [2] Value is decrypted using a static key

Successful exploitation allows an attacker to bypass authentication and access the device without valid credentials, provided another authenticated user is actively logged in at the time of exploitation.

Affected Products

The issue affects the following devices:

  • NF20MESH

It’s possible that other devices may also be affected.

Impact

Successful exploitation may allow a remote attacker to gain access to administrative features on the router.

Remediation

Users with affected devices should apply vendor-provided fixes (version R6B032) as soon as practical.

Where immediate patching is not possible, the following mitigations may reduce exposure:

  • Change default passwords for all user accounts
  • Prevent direct exposure of affected devices to the public internet
  • Segment affected devices from sensitive internal assets