14 DAY TRIAL // A hefty amount of router models from South Korean manufacturer EFM Networks are vulnerable to remote code execution security flaw, a researcher claims.
The vulnerability could be exploited by an attacker without the need to authenticate by sending a malicious DHCP request to the router.
ipTIME routers are widespread in South Korea
Pierre Kim, the researcher that discovered the bug, says that the problem exists in 127 ipTIME router models, which are very popular in South Korea. He says that the ipTIME devices account for more than 60% of the consumer networking gear deployed in the country.
Translated into a more worrying figure, the researcher estimates that there are about 10 million such devices currently in use in South Korea.
The security researcher did not disclose the issue to the manufacturer, which would make it a zero-day vulnerability, ready to be exploited by threat actors.
“This is a direct RCE against the routers which gives a complete root access to the embedded Linux from the LAN side,” Kim says in the security advisory.
Since EFM Networks is among the leading brands of networking equipment for consumers as well as small and middle-sized businesses in South Korea, it is likely that its products are employed to offer Internet connection to the public in restaurants, parks or bars.
Attackers can take full control of the affected device
Given all this, the potential risk is significant, as attackers could hijack the routers and intercept communication of connected users or redirect them to malicious locations.
From the tests made by Kim, an attacker could plant a backdoor and run it with the highest privileges as well as replace the firmware version completely, with a malicious variant.
The issue discovered is a reverse of another one (CVE-2011-0997), disclosed in 2011, which enables execution of arbitrary commands through shell metacharacters in a hostname obtained from a DHCP message.
According to the researcher, the problem that has still to be addressed is present in firmware versions as old as 2009 as well as in newer ones like 9.66, released 2015. The latest version, however, is 9.68, and it is present on a handful of devices; there is a high probability, though, that the glitch exists in this one, too.