A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device. The flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 220.127.116.11, which extends the wireless network throughout the house using HomePlug AV2 technology. “A compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,” explained researchers at IBM X-Force, in a posting last week. Web Server Woes The first two bugs are a command-injection issue (CVE-2019-16213); and a critical buffer overflow (CVE-2019-19505). They are found in the extender device’s web server, under a process named “httpd.” The command-injection vulnerability carries a rating of 8.8 out of 10 on the CVSS severity scale. It arises from the fact that under the “Powerline” section in the user interface (UI) of the extender’s web server, the user can see and change the name of the other powerline communication (PLC) devices which are attached to the same powerline network. An authenticated user can inject an arbitrary command just by changing the device name of an attached PLC adapter with a specially crafted string, the researchers noted. Since the web server is running with root…
0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2020-06-29 12:48:002020-06-29 12:48:00Unpatched Wi-Fi Extender Opens Home Networks to Remote Control
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org