BreachExchange mailing list archives
TRENDnet Devices Bundle Infamous scfgmgr Service
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 11 Jan 2016 17:42:21 -0700
https://www.linkedin.com/pulse/trendnet-devices-bundle-infamous-scfgmgr-service-jake-kouns?trk=hp-feed-article-title-publish Earlier this month, our research team at Risk Based Security encountered an older TRENDnet N300 Wireless Hot Spot Access Point (TEW-636APB) and decided to extract the firmware to take a closer look at it. For those, who do not recall, TRENDnet is the vendor that was slapped by the FTC in 2014. Under the terms of the settlement with the Commission, TRENDnet was: - prohibited from misrepresenting the security of its cameras - required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access - required to obtain third-party assessments of its security programs every two years for the next 20 years. - required to notify customers of security issues and updates available to correct any flaw This settlement was an attempt to ensure that TRENDnet improved the security of their products. It should be noted, however, that their devices were not really in any worse shape than what we regularly see from many device vendors. When looking at the firmware, we immediately spotted that the device on boot launches the infamous scfgmgr service, which basically acts as a backdoor into the device. The service has previously been reported in various devices from primarily NETGEAR, Cisco, and Linksys. It was, therefore, interesting to also find it in a product from TRENDnet and fostered the question: “How many TRENDnet models are affected?”. Especially when considering the FTC case. To answer the question, we wrote a tool to download all available firmware images from TRENDnet (a total of 924), unpack and extract them using Binwalk, and then search for the presence of the scfgmgr service. The results were positive, as we only found the service in the latest firmware images for a few other TRENDnet device models, which all seem to have been discontinued prior to the FTC case. Hopefully, use of affected device models in home and enterprise networks is very limited. Anyone still using one of these should consider replacing them with a still supported device immediately, or if not able to do so then at least ensure traffic to the backdoor service is blocked. It should be noted that the service was previously reported to listen on TCP port 32764. That is not the case for the TRENDnet devices. A table of affected devices, firmware versions, and the port that the service listens on can be found below: We can’t rule out that other models also were affected at some point and silently fixed. It’s, therefore, advisable to ensure any used TRENDnet devices (as with devices in general) regardless of model are running the latest firmware versions. If your organization wants an evaluation of a product e.g. internally developed or used in your IT infrastructure, we can assist with product assessments as well as conducting network vulnerability assessments and penetration tests.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which vendors to trust. Contact us today for a demo.
Current thread:
- TRENDnet Devices Bundle Infamous scfgmgr Service Audrey McNeil (Jan 12)