Tenda 固件(多个版本)包含隐藏的身份验证后门
Tenda firmware (multiple versions) contains hidden authentication backdoor

原始链接: https://kb.cert.org/vuls/id/213560

多个腾达(Tenda)路由器型号存在一个严重的、未记录的身份验证后门(CVE-2026-11405),攻击者可借此绕过密码验证并获得完全的管理控制权。 该漏洞存在于 `/bin/httpd` 网络服务器二进制文件中,其 `login()` 函数包含一个硬编码的后备机制。如果标准的 MD5 身份验证失败,系统会将用户输入的值与通过 `GetValue("sys.rzadmin.password")` 获取的存储密码进行比对。由于此过程不验证用户名,攻击者无需凭据即可获取管理员权限。 **受影响版本:** * US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD * US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE * US_AC10V1.0re_V15.03.06.46_multi_TDE01 * US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 * US_AC6V2.0RTL_V15.03.06.51_multi_T **影响:** 攻击者可以完全重新配置设备、更改网络设置并破坏局域网安全。 **解决方案:** 由于厂商尚未提供补丁,用户应通过以下方式降低风险: 1. **禁用远程管理**,以防止通过互联网进行外部访问。 2. **限制局域网暴露**,通过更改默认 IP 地址来降低被自动扫描发现的风险。

```Hacker News 最新 | 过往 | 评论 | 提问 | 展示 | 招聘 | 提交 登录 Tenda(腾达)固件(多个版本)包含隐藏的身份验证后门 (cert.org) 18 分 | miniBill 发布于 1 小时前 | 隐藏 | 过往 | 收藏 | 3 条评论 帮助 SubiculumCode 5 分钟前 | 下一条 [–] 随时随地,大摇大摆地从后门进出。回复 RetroTechie 29 分钟前 | 上一条 [–] 又一家出售带后门产品的中国公司。真是一点也不令人惊讶……回复 cwmoore 12 分钟前 | 父评论 [–] 你指的是“祈祷”这个概念吗?回复 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 加入 YC | 联系 搜索:```
相关文章

原文

Overview

Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials.

Affected Versions:
* US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
* US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
* US_AC10V1.0re_V15.03.06.46_multi_TDE01
* US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
* US_AC6V2.0RTL_V15.03.06.51_multi_T

Description

Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment. Most of these devices include web-based interfaces that allow users to perform configuration and management operations, which are protected by username/password authentication to prevent unauthorized modifications.

The web server binary /bin/httpd contains an undocumented backdoor authentication mechanism in the login() function. Initially, the function follows a normal authentication path using MD5-based password verification. However, if authentication fails, the function invokes GetValue("sys.rzadmin.password") to retrieve an alternate password value from the device configuration. It then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session.

The associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface.

Impact

Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials. With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.

Solution

Unfortunately, we were unable to reach the vendor to coordinate this vulnerability. Since a patch is unavailable, we can only offer mitigation strategies. The following workarounds can help mitigate this vulnerability's impact until a fixed version is released:

Disable remote management on your device
If your device supports remote web management, disable it. Disabling this feature prevents attackers on external networks from accessing your device’s administrative dashboard over the internet.

Restrict local network exposure
Changing the default LAN IP address may reduce opportunistic discovery by automated scanners that target known default IP ranges. Note that this measure does not prevent deliberate or targeted network scanning.

Acknowledgements

Thanks to the reporter who wishes to remain anonymous. This document was written by Bob Kemerer.

联系我们 contact @ memedata.com