Source: cret@cert.org
The web administration interface on ReadyNet WRT300N-DD devices with firmware 1.0.26 has a default password of admin for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
ReadyNet WRT300N-DD routers running firmware 1.0.26 are vulnerable to a critical security flaw. The web administration interface uses a default password of 'admin' for the admin account, enabling remote attackers to gain complete administrative control of the device and potentially compromise the entire network. This vulnerability allows for unauthorized access and control, leading to data breaches and network disruptions.
Step 1: Network Reconnaissance: An attacker identifies a ReadyNet WRT300N-DD router on the local network, potentially through network scanning tools or social engineering. Step 2: Accessing the Web Interface: The attacker navigates to the router's web administration interface, typically by entering the router's IP address (e.g., 192.168.1.1) in a web browser. Step 3: Authentication Attempt: The attacker enters the default username 'admin' and the default password 'admin' in the login form. Step 4: Successful Login: The router authenticates the attacker without requiring any password change, granting full administrative privileges. Step 5: System Compromise: The attacker, now with administrative access, can modify router settings (e.g., DNS settings, firewall rules), intercept network traffic, install malicious firmware, or gain access to connected devices on the network.
The vulnerability stems from a fundamental design flaw: the lack of a secure default password configuration. The web administration interface, intended for configuration and management, fails to enforce or prompt for a password change upon initial setup. This allows anyone on the local network to access the administrative interface using the default credentials. The root cause is a missing security check or a flawed initialization process that doesn't mandate a password change, leaving the device open to unauthorized access. There is no complex technical flaw like a buffer overflow or SQL injection, but rather a simple, yet devastating, configuration oversight.
While no specific APT groups are directly linked to this CVE, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and opportunistic malware campaigns. This vulnerability could be used as an initial access vector for more sophisticated attacks. CISA KEV status: Not Listed
Network traffic analysis: Monitor for HTTP/HTTPS requests to the router's web administration interface (typically port 80 or 443) originating from internal network hosts.
Log analysis: Review router logs for successful login attempts using the default 'admin' credentials.
Honeypot deployment: Deploy a honeypot mimicking the vulnerable router to attract and detect malicious activity.
Vulnerability scanning: Utilize vulnerability scanners to identify devices with the default password configuration.
Immediately change the default password on the router to a strong, unique password.
Disable remote administration access if not required.
Upgrade the router's firmware to the latest version, if available (though this specific version is likely end-of-life).
Implement network segmentation to isolate the router from critical network resources.
Conduct regular security audits and penetration testing to identify and address vulnerabilities.