Netduma R1 Vulnerable to CSRF attacks

[KAB3WM]

I've made enough attempts for the last month and a half to get someone from Netduma to acknowledge this security vulnerability and haven't heard a peep about a fix.. so maybe posting on the forums will help.

 

If you own a Netduma, simply visiting a website with some malicious code on it can change ANY setting on your router or reboot it. 

 

To clarify -- Luke (the CEO) did email me and said he would forward it to his lead developer about 3 weeks ago. But that's the last I heard of it.. And that was 3 weeks after I had emailed about it in the first place! I think Netduma needs to take security issues a little more seriously and maybe look at how other companies or projects handle security vulnerability reporting. Had Netduma emailed me back and said "Hey, we are investigating the best way to fix this and it is a priority, can you give us more time before disclosing this issue?" this post wouldn't exist. That didn't happen, so here it is.

 

Here's the full disclosure I posted last night.

 

http://seclists.org/fulldisclosure/2015/Dec/125

 

And here's a demo proof of concept URL that will reboot your router by just visiting the page from any device on your Netduma's network.

 

http://netduma-csrf-test.s3.amazonaws.com/netduma_csrf_test.html

[fuzzy clam]

Hey guys I move this topic in here.If I have moved it and I shouldn't have feel free to move it back to support.But if you click on the second link it does reboot your router and didn't want people flipping out if they click it and their router reboots.

 

The whole post just seemed kind of off to me but that's just my opinion.So if it shouldn't be here feel free to move it back.

[Zennon]

It does reboot mine also even though I have it behind a Billion 7800n with high security settings.

 

It seems lots of routers have this vulnerability.

 

http://www.routercheck.com/csrf/

[Netduma Crossy]

 

 

 

Maybe it is best to put this back into the open because he is complaining it in shout box?

 

If you password protect your router then this doesn't work anyway.

 

So we can just tell everyone that if they're worried to just put a password on the router?

 

(I only tested the password thing on Chrome and Safari so I could be wrong that other browsers will still allow it if you are already logged into the router etc).

[Zennon]

I did not have password protection enabled now i do it passes with all browsers.

 

Use password protection guys if you are worried about this.

[Netduma Crossy]

Anybody who is worried about this before it is fixed can just password protect their router in Settings >> Miscellaneous

[Netduma Iain]

For non tech savy users the chance of this occurring in the wild is nearly nil also a would be attacker cannot read you data. If you're concerned just enable password protection in "Settings > Misc".

 

Happy new years everyone

[dionysus]

Do I want google chrome to save the password?  

[Zennon]

If you are the sole user of the device or if you do not mind others having access to the page from your device then that is fine.

[KAB3WM]

My problem with basic auth as a protection mechanism against this is you built a router that's meant to be very interactive/hands-on. It's not a router that you configure once and never touch it again. A real authentication system with session cookies and CSRF tokens would provide the best UX and security for your product. Is this planned, or is basic auth your final solution to this problem?

 

And while I agree that the chances of getting randomly hit by this in the wild is close to nil (mainly due to marketshare/attack surface), I don't think it's farfetched to think that known popular streamers may be targeted by this attack.