Results 1 to 11 of 11

Thread: CRITICAL Vulnerability in the 3.x firmware

  1. #1
    Registered+
    Join Date
    Jul 2007
    Posts
    52
    Thanks
    0
    Thanked
    0 times in 0 posts

    Exclamation CRITICAL Vulnerability in the 3.x firmware

    I just opened a support ticket (EEW-834557) with Thecus to inform them about another critical vulnerability. The new 3.x firmware allows potential attackers to become any user (even "admin") bypassing the authentication. Exploits are available.

    All users of devices running a 3.x firmware should make sure the WebUI is not accessible from insecure networks (such as the Internet) until this vulnerability is fixed.

    Update 2009/11/26 - Received a reply from Thecus, they "hope it can be fixed soon"

    /Falk

    P.S.: I will not publish any details on the exploits ... but I will probably not be the only one who knows about this already
    Last edited by fajo; 26-11-2009 at 06:51 PM.

  2. #2
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Hi Fajo,

    Will the vulnerability you have mentioned still be a problem if I used port 443 instead of port 80?

    Thanks,
    Jen

  3. #3
    Registered+
    Join Date
    Jul 2007
    Posts
    52
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Quote Originally Posted by jennyz View Post
    Will the vulnerability you have mentioned still be a problem if I used port 443 instead of port 80?
    It will and there is no workaround available, so this will be an issue until Thecus decides to fix it. I did not receive a response from Thecus yet (as usual) except for the automatic response and I doubt this issue will be fixed soon.

    /Falk

  4. #4
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Thanks for the reply. I hope Thecus will work on this soon or at least provide some reassurance that the next firmware update will address this problem.

    Jen

  5. #5
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Hi Fajo,


    Could you verify if this problem is fixed in the firmware v3.00.08?

    Thanks,
    Jen

  6. #6
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Quote Originally Posted by jennyz View Post
    Hi Fajo,


    Could you verify if this problem is fixed in the firmware v3.00.08?

    Thanks,
    Jen
    You don't to answer my question. FW v3.00.08 does not work on my N7700.

  7. #7
    Registered+
    Join Date
    Jul 2007
    Posts
    52
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Hi Jen,

    even if 3.00.08 would work for you, the issue would still be there ;o)

    /Falk

  8. #8
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Quote Originally Posted by fajo View Post
    Hi Jen,

    even if 3.00.08 would work for you, the issue would still be there ;o)

    /Falk
    Falk,

    I wonder will Thecus ever resolve this problem. I think we all need to do this to Theucs.

    Thanks,
    Jen

  9. #9
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Hi Falk,

    Does the new beta: N5500 - N7700 - N8800 FW v3.01.00.3 solve the vulnerability issue? The text on this new version says that it solve the vulnerability issue that you found. Not that I don't trust them *ahem* but I like to hear it from you.

    Thanks,
    Jen

  10. #10
    Registered+
    Join Date
    Jul 2007
    Posts
    52
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Hi Jen,

    yes, with 3.1 the vulnerability is fixed - I have not updated the thread yet since this FW is still beta ;o)

    /Falk

  11. #11
    Registered User
    Join Date
    Oct 2009
    Posts
    10
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: CRITICAL Vulnerability in the 3.x firmware

    Thanks Fajo!
    I hope the beta won't crash my system.

    Jen

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Daytek Vigor 2800 Series firmware version 2.7 released
    By Taz in forum Networking and Broadband
    Replies: 2
    Last Post: 20-12-2007, 09:43 AM
  2. Draytek Vigor 2800G - new firmware 2.6.3.1 released
    By Taz in forum Networking and Broadband
    Replies: 8
    Last Post: 05-06-2006, 02:46 PM
  3. Xbox360: Hacked!
    By autopilot in forum Gaming
    Replies: 9
    Last Post: 19-03-2006, 10:58 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •