{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/fh303/a300-firmware/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25318"}],"_cs_exploited":false,"_cs_products":["FH303/A300 firmware"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25318","tenda","dns-hijacking","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eCVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GET request to the router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe router, due to insufficient cookie validation, accepts the forged cookie and processes the request.\u003c/li\u003e\n\u003cli\u003eThe request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the router unknowingly use the attacker\u0026rsquo;s DNS servers for name resolution.\u003c/li\u003e\n\u003cli\u003eDNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e with unusual parameters (Sigma rule: \u0026ldquo;Detect Tenda Router DNS Hijacking Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eIf possible, upgrade the router firmware to a version that patches CVE-2018-25318.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of compromised devices.\u003c/li\u003e\n\u003cli\u003eConsider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-tenda-dns-hijacking/","summary":"Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.","title":"Tenda FH303/A300 DNS Hijacking Vulnerability (CVE-2018-25318)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — FH303/A300 Firmware","version":"https://jsonfeed.org/version/1.1"}