Vulnerability Spotlight: Tenda AC9 /goform/WanParameterSetting command injection vulnerability

Amit Raut of Cisco Talos discovered this vulnerability.

Cisco Talos recently discovered a command injection vulnerability in the Tenda AC9 router. The Tenda AC9 is one of the most popular and affordable dual-band gigabit WiFi Router available online,

especially on Amazon. A command injection vulnerability exists in the `/goform/WanParameterSetting` resource. A locally authenticated attacker can execute arbitrary commands to post parameters to execute commands on the router. The attacker can get reverse shell running as root using this command injection.

Cisco Talos is disclosing this vulnerability after Tenda failed to patch it per Cisco’s 90-day deadline. Read more about the Cisco vulnerability disclosure policy here.

Vulnerability details

Tenda AC9 /goform/WanParameterSetting command injection vulnerability (TALOS-2019-0861/CVE-2019-5071, CVE-2019-5072)

An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router (AC9V1.0 Firmware V15.03.05.16_multi_TRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send a specific HTTP POST request with a command to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that AC9V1.0, firmware, versions 15.03.05.16_multi_TRU and 15.03.05.14_EN are affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 50782 - 50785