Backdoors left unpatched in MoFi routers

Canadian networking gear vendor MoFi Network has patched only six of ten vulnerabilities that security researchers have reported to the company earlier this year, in May.

Unpatched have remained a command injection vulnerability and three hard-coded undocumented backdoor mechanisms, all impacting the company’s line of MOFI4500-4GXeLTE routers.

These devices are very powerful business routers that MoFi describes as “high performance mission critical enterprise rugged metal router made for businesses or customers.”

MOFI4500-4GXeLTE routers provide high bandwidth connections to business users via LTE (4G) uplinks and are normally deployed by internet service providers or other companies that need to ensure internet access to remote business points where normal wired internet connections aren’t available.

Ten security flaws discovered in MOFI4500-4GXeLTE routers

In a report shared with ZDNet today, cyber-security firm CRITICALSTART says it discovered ten vulnerabilities in the firmware of MOFI4500-4GXeLTE routers earlier this year.

The ten vulnerabilities included a wide range of issues, one more serious than the other, all detailed in the table below.

CRITICALSTART said it notified the MoFi security staff of the vulnerabilities, but when the company issued a firmware update earlier this year, it only included patches for six of the ten bugs.

The four rows in yellow above represent the four vulnerabilities that MoFi has not (yet?) patched.

Asked to comment on this report and why it didn’t patch the last four bugs, MoFi did not return a contact request sent yesterday via the company’s website.

Exploitation is possible in some scenarios

Since the list of bugs contains quite a few backdoors, one would expect that these bugs are quite attractive for botnet operators — and indeed they are.

Exploiting the ten vulnerabilities only requires that an attacker have a direct line to the device’s web management interface, which CRITICALSTART says is accessible by default on all network interfaces — via both LAN (internal) and WAN (external).

However, CRITICALSTART says that since many MOFI4500-4GXeLTE routers are employed by ISPs, some of these devices have some sort of minimal protection in place, blocking attackers from easy hacks.

“Many Internet Service Providers (ISP) use Carrier Grade NAT which prevents direct access to the management interface from the Internet,” CRITICALSTART said.

“This does not limit an attacker with access to the LAN interface or to the internal ISP network. In some cases, the vulnerability can be triggered indirectly by a user clicking a link or visiting a malicious web site.”

For example, one such scenario of how these bugs could be exploited is via malicious code embedded inside ads. When an ISP employee or a customer on the ISP’s network accesses a website with one of these ads, the malicious code runs inside the browser (located in the ISP’s LAN) and hacks the MOFI4500-4GXeLTE router on behalf of the attackers.

This means that preventing access to the router’s management WAN interface may not be a full-proof solution in the long run, and, eventually, a firmware update needs to be applied to patch the rest of the bugs and prevent future attacks.

Because of the danger that these bugs pose, CRITICALSTART said it also notified US-CERT about its findings, and the organization appears to have worked behind the scenes on securing these devices.

CRITICALSTART reached this conclusion after observing the number of internet-accessible MoFi devices go down by more than 40% over the summer, from 14,000 devices on June 25, to around 8,200 devices on August 25.

“We suspect this is the result of US-CERT working with ISPs to restrict network access,” the CRITICALSTART research team said.