Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)

Tenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the goform/AdvSetDns endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device’s DNS server settings. Successful exploitation allows the attacker to redirect the router’s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.

Attack Chain

1. The attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.
2. The attacker crafts a malicious HTTP GET request targeting the goform/AdvSetDns endpoint.
3. The GET request includes a crafted “admin language cookie” designed to bypass authentication.
4. The router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.
5. The router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.
6. Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
7. The attacker’s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.
8. Users unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.

Impact

Successful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.

Recommendation

• Deploy the Sigma rule Detect Tenda Router DNS Hijack Attempt to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the /goform/AdvSetDns endpoint (log source: webserver).
• Monitor web server logs for requests containing a crafted admin language cookie to the /goform/AdvSetDns endpoint, indicating potential exploitation attempts (log source: webserver).
• Apply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.
• Consider replacing the affected device if a patch is unavailable, especially in high-risk environments.