IBM Discloses Tenda Powerline Extender Flaws Apparently Ignored by Vendor


IBM has disclosed the details of several vulnerabilities found in powerline extenders made by China-based networking solutions provider Tenda. IBM says Tenda ignored its emails and phone calls, and it’s unclear if any patches are being developed.

Considered an alternative to Wi-Fi extenders, powerline extenders leverage a building’s electrical wiring to boost the range of an internet connection. One powerline network adapter is connected to the router and then plugged into a wall socket. The electrical wiring will carry the signal to a different socket (in an area where a stronger signal is needed), in which the user plugs in a second powerline adapter.

Researchers at IBM’s X-Force Red team have analyzed Tenda PA6 Wi-Fi powerline extenders, which are part of the company’s PH5 Powerline Extender Kit, and identified vulnerabilities that could allow attackers to take complete control of a device.Vulnerabilities found in Tenda powerline extenders

Malicious actors could exploit the vulnerabilities to add a device to an IoT botnet and abuse it to launch DDoS attacks, move to other devices on the network, or abuse them to mine for cryptocurrency.

One of the vulnerabilities has been described as a command injection issue that can be exploited by an authenticated attacker to take control of a powerline adapter. Another vulnerability allows an authenticated attacker to execute arbitrary code on the device.

IBM says it may be possible to exploit these vulnerabilities remotely from the internet. While exploitation requires authentication, the tech giant’s researchers noticed that the vulnerable devices are only protected by a weak, default password.

A third security hole found by IBM researchers is a denial-of-service (DoS) vulnerability that can be exploited without authentication to cause a device to continuously reboot.

They also noticed that an attacker can easily obtain a device’s firmware image, which includes configuration data and other files.

Based on the CVE identifiers assigned to these vulnerabilities, they were discovered in 2019, but no patches appear to have been released. IBM says it has attempted to report its findings to Tenda, but the vendor ignored its phone calls and emails, which is why it’s unclear if the company is working on releasing patches.

Related: Remote Command Execution Vulnerability Affects Many D-Link Routers

Related: Several Botnets Using Zero-Day Vulnerability to Target Fiber Routers

Related: MikroTik Router Vulnerabilities Can Lead to Backdoor Creation

view counter

RSS Icon
picture 106

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
tag iconTags:





Source link

Recent articles

Tubites · Packaging

Creating a playful, fresh, and colorful packaging for the new guilt-free snacks brand "Tubites". Each of the product lines is aimed at...

BlendNet free addon to simplify the cloud rendering

Rabit writes: The new BlendNet v0.2 was released and could be quite useful for everyone who wants to save money on the render farm...

What’s New on Netflix UK: July 8th, 2020

Stateless is now available to stream on Netflix UKA quiet Wednesday on Netflix UK with three 3 additions to the library. Of the...

Save time at the command line with HTTPie instead of curl

Ah, curl. While widely-loved and wildly powerful, its ergonomics leave something to be desired. Although it should not replace curl in your automation,...

Leave a reply

Please enter your comment!
Please enter your name here