CSP-CERT® Vulnerability Report:
Lenovo Portable Router R2105 Vulnerability

by CSP CERT® Red Team
posted August 2018



CSP-CERT® Red Team Operation discovered multiple vulnerabilities in Lenovo Portable Router R2105 with firmware version 1.0. The device didn't sanitize input data in multiple fields which are vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF). It also has a dedicated webpage that could let the user run arbitrary commands which could lead to remote code execution via CSRF. (NOTE: This router has been discontinued since 2014, and is only available through limited third-party retailers).

VULNERABILITY INFORMATION

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The router having the said firmware version have fields that are vulnerable to cross-site scripting attacks. These fields are not sanitized upon modification of the settings making it render arbitrary web scripts. This however is only accessible to a logged-in user which makes the vulnerability low risk because an attacker should have the credentials to take advantage of the issue.

CWE-352: Cross-Site Request Forgery (CSRF)

The router having the said firmware version doesn't have any protection from cross-site request forgery attacks. If a user is logged-in as an administrator while visiting a crafted webpage containing a request to change the current state of the router, the router will process the request accordingly. A malicious request can only happen if a user has an active session which also reduces the risk for this vulnerability.

Impact

Since the router also has a webpage that could process arbitrary code to execute, this makes it possible for remote code execution to happen via cross-site request forgery. To understand this better, the steps are as follow:

  1. A user logs in to the administrative web panel for the router.
  2. While logged in, the same user visits a malicious website containing a request to reset the router to its default state.
  3. Since there is no CSRF protection, the router accepts the foreign "reset" request making it revert to its default state.
The second and third step is where the cross-site request forgery happens. Once the user visits a malicious website, the request can be forwarded to the router making code execution possible.

Mitigation / Minimizing the Risk

Lenovo has confirmed the vulnerabilities however no technical fixes should be expected since this product has been withdrawn since 2014. The product nonetheless is still distributed by 3rd party e-commerce websites which suggest that the product is still used by the public as of the time of advisory. To minimize the risk of the vulnerabilities reported, please ensure the following:

  • Do not use the default credentials when using the router. Change the password upon usage.
  • Every time the configuration is set, logout of the administrator web panel before visiting other websites. This ensures cross-site request forgery cannot happen.

References

Vendor Information

  • Vendor: Lenovo
  • Date Notified: July 18, 2018
  • Public Disclose: July 25, 2018

Credits

These vulnerabilities were discovered by: CSP-CERT® Vulnerability Research Team