CRITICAL Vulnerability in the 3.x firmware

**fajo** · 20-11-2009, 11:45 PM

I just opened a support ticket (EEW-834557) with Thecus to inform them about another critical vulnerability. The new 3.x firmware allows potential attackers to become any user (even "admin") bypassing the authentication. Exploits are available.

All users of devices running a 3.x firmware should make sure the WebUI is not accessible from insecure networks (such as the Internet) until this vulnerability is fixed.

Update 2009/11/26 - Received a reply from Thecus, they "hope it can be fixed soon"

/Falk

P.S.: I will not publish any details on the exploits ... but I will probably not be the only one who knows about this already

**jennyz** · 24-11-2009, 06:46 AM

Hi Fajo,

Will the vulnerability you have mentioned still be a problem if I used port 443 instead of port 80?

Thanks,
Jen

**fajo** · 25-11-2009, 10:39 AM

Originally Posted by jennyz

Will the vulnerability you have mentioned still be a problem if I used port 443 instead of port 80?

It will and there is no workaround available, so this will be an issue until Thecus decides to fix it. I did not receive a response from Thecus yet (as usual) except for the automatic response and I doubt this issue will be fixed soon.

/Falk

**jennyz** · 29-11-2009, 12:55 AM

Thanks for the reply. I hope Thecus will work on this soon or at least provide some reassurance that the next firmware update will address this problem.

Jen

**jennyz** · 29-12-2009, 06:02 PM

Hi Fajo,

Could you verify if this problem is fixed in the firmware v3.00.08?

Thanks,
Jen

**jennyz** · 29-12-2009, 08:23 PM

Originally Posted by jennyz

Hi Fajo,

Could you verify if this problem is fixed in the firmware v3.00.08?

Thanks,
Jen

You don't to answer my question. FW v3.00.08 does not work on my N7700.

**fajo** · 29-12-2009, 11:04 PM

Hi Jen,

even if 3.00.08 would work for you, the issue would still be there ;o)

/Falk

**jennyz** · 03-01-2010, 10:18 PM

Originally Posted by fajo

Hi Jen,

even if 3.00.08 would work for you, the issue would still be there ;o)

/Falk

Falk,

I wonder will Thecus ever resolve this problem. I think we all need to do this

to Theucs.

Thanks,
Jen

**jennyz** · 26-01-2010, 06:19 AM

Hi Falk,

Does the new beta: N5500 - N7700 - N8800 FW v3.01.00.3 solve the vulnerability issue? The text on this new version says that it solve the vulnerability issue that you found. Not that I don't trust them *ahem* but I like to hear it from you.

Thanks,
Jen

**fajo** · 26-01-2010, 10:03 AM

Hi Jen,

yes, with 3.1 the vulnerability is fixed - I have not updated the thread yet since this FW is still beta ;o)

/Falk

**jennyz** · 27-01-2010, 08:11 PM

Thanks Fajo!

I hope the beta won't crash my system.

Jen

Thread: CRITICAL Vulnerability in the 3.x firmware

LinkBack

Thread Tools

CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Re: CRITICAL Vulnerability in the 3.x firmware

Thread Information

Users Browsing this Thread

Similar Threads

Daytek Vigor 2800 Series firmware version 2.7 released

Draytek Vigor 2800G - new firmware 2.6.3.1 released

Xbox360: Hacked!

Tags for this Thread

Posting Permissions