Advisories

Askey AP5100W Logic Error allowing Web Admin authentication bypass

CVE ID

CVE-2020-25546

Tested Versions

  • Askey AP5100W version Dual_SIG_1.01.071

Product URL(s)

  • https://www.askey.com.tw/

Askey AP5100W was a wifi mesh node provided to Singtel customers as part of their Fibre Broadband contract package. It is used to provide greater WiFi coverage in homes or offices.

The wifi mesh node comes with a configurable web interface that allows users to modify settings on their mesh nodes and run diagnostics.

Vulnerability

The default login credential of the web interface for the Askey AP5100W is as follows:

  • Login Name: admin
  • Password: admin

Despite the web interface being “secured” behind a login interface, the implementation of the authentication is severely flawed. As anyone with access to the router web interface is instantly logged in as soon as one authenticated person logs in. Meaning an attacker on the network is able to access the web interface as soon as a web administrator logs in to the web interface.

Based on our observations, it seems like a successful login sets a global variable in the mesh node to true and all subsequent commands are assumed to be authenticated commands regardless of the sender. There is no session key or cookies involved in the authentication processed.

Vendor Response

The vendor didn’t replied to us despite all the efforts we made.

Timeline

  • 2020-05-22 Reported to Askey, no reply from Askey
  • 2020-05-28 Reported to Askey again, no reply from Askey
  • 2020-06-03 Reported to CSA, CSA replied on same day saying that they will inform Askey and SingTel
  • 2020-06-09 Email to CSA again, CSA replied that SingTel and Askey didn't get back to them.
  • 2020-06-09 Reported to Mitre, but no reply
  • 2020-07-14 Reported to Mitre again, but no reply again.
  • 2020-09-15 Mitre finally replied with CVE

Credit

Discovered by Li Bailin