Researchers have discovered a critical authentication bypass vulnerability that exposes many WiMAX routers to remote attacks, and there is no indication that affected vendors will release patches any time soon.
WiMAX (Worldwide Interoperability for Microwave Access) is a wireless communications standard that is similar to LTE. The technology is present in many networking devices, including ones that are directly accessible from the Internet.
Researchers at SEC Consult noticed that several WiMAX gateways are affected by a serious flaw that can be exploited by a remote, unauthenticated attacker to change the device’s administrator password by sending it a specially crafted request. The weakness is tracked as CVE-2017-3216.
Once they change the device’s admin password, attackers can access its web interface and conduct various actions, including change the router’s DNS servers for banking and ad fraud, upload malicious firmware, or launch further attacks on the local network or the Internet.
SEC Consult believes the vulnerability is present in several gateways from GreenPacket, Huawei, MADA, ZTE and ZyXEL. It appears the firmware of all affected devices has been developed with a software development kit (SDK) from MediaTek, a Taiwan-based company that provides system-on-a-chip (SoC) solutions for wireless communications.
Experts believe ZyXEL and its sister company MitraStar used the MediaTek SDK to develop firmware for routers that it has sold to ISPs and companies such as GreenPacket, Huawei and ZTE. However, MediaTek claims the vulnerability found by SEC Consult does not affect its SDK, which suggests that the flaw may have been introduced with code added by ZyXEL.
ZyXEL has been notified by CERT/CC, which has also published an advisory, but the company has not provided any information.
Huawei has confirmed that some of its products are affected by the vulnerability, but they will not receive any patches as they reached end-of-service in 2014. The company has published a security notice advising customers to replace their old routers.
An analysis by SEC Consult showed that there are between 50,000 and 100,000 vulnerable devices accessible directly from the Internet. The company has published an advisory that contains the exact device models impacted by the security hole.
Since patches are unlikely to become available any time soon, users have been advised to either replace the devices or take measures to prevent remote access, such as restricting access to only trusted clients and disabling remote device management features.
UPDATE. ZyXEL has confirmed that a vulnerability exists in the web interface of some WiMAX Client Premise Equipment (CPE). The vendor is working on addressing the flaw and in the meantime it has advised customers to apply workarounds described in its advisory.