Beware Belkin routers: the jaws that bite, the claws that catch

belkin routerCERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities.

The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware.  They allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers.

The vulnerabilities have not been patched by Belkin and there aren’t any practical workarounds for them.

Among the bugs in the router is a problem caused by the use of insufficiently random values to calculate transaction IDs. The issue could allow an attacker to guess the next TXID and spoof a response from a DNS server.

“DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker’s control,” the CERT/CC advisory says.

Belkin also uses plaintext HTTP to sending firmware update information to the N600 routers, a weakness that could enable an attacker in a man-in-the-middle position to block firmware updates or send arbitrary files to the routers. The routers also don’t have a password set for the web management interface by default, so an attacker on the network could get privileged access to the router’s interface.

There is also a global cross-site request forgery bug in the N600.

“Belkin N600 routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in default configurations lacking password protection, an attacker can establish an active session as part of an attack and does not require a victim to be logged in,” the advisory says.